Diving into Pegasus Spyware

Hello All !!!

Recently the term “Pegasus” has come into the limelight all across the globe leaving people anxious with the question like From where did it arrive abruptly? Am I a potential target ? If so, how to detect and safeguard ourselves.

History of Pegasus Spyware : With all of the recent news coverage and headlines, this may appear to be a fresh threat to the cyber world, however PEGASUS initially appeared in 2016 on a limited number of iOS and Android devices. PEGASUS is a surveillance (spyware) service developed by the Israeli NSO Group as part of their Surveillance as a Service offering. Spyware is typically software that takes data from a target device and sends it to a remote command and control server.

What it can do/steal? : Pegasus is a potent spyware that can infiltrate any Android or iOS smartphone device, including phones, tablets, and laptops. It can access all of the data on any Android/iOS smartphone, including the Photo Gallery, Contacts, SMS, Whatsapp chats (even if they are encrypted), and so on. It can also access the user’s camera, record phone calls/video calls/WhatsApp calls, and track the user’s present location and history.

Working of Pegasus : Pegasus infects a device when a victim clicks on (or is deceived into clicking on) a malicious link that downloads and install the spyware. This spyware had a restricted infection strategy in the beginning, such as a malicious SMS message or an Message. A victim would receive an SMS containing malicious links; if the victim clicked on the link, the device would become infected. However, spyware has advanced significantly in recent years, and it now leverages “zero-click exploits” to infect the target device. It can infect a smartphone with simply a WhatsApp call in some advanced attacks. This spyware is unique in that it does not require any user activity to gain access to the device. In other words, the user does not need to click any of the URLs in order for the spyware to have access to the device. Knowing your phone number is all a hacker needs to take complete control of your device. The hackers only need to send one SMS or Whatsapp message, or even a simple missed call, to validate that the device has an active sim card, is connected to the network, and is turned on.

When spyware infiltrates your system, it discreetly attempts to take control of your device by jail breaking or rooting it. Both rooting (for Android) and jail breaking (for iOS) are methods for bypassing security controls built into your device’s operating system. You will gain root level (super user) access to your device and will be able to execute higher privilege operations such as installing new services/apps (that are not available on the Appstore or Playstore) and many more. Spyware installs additional services to secure a remote connection with its command and control server after successfully rooting/jail breaking the device and commence its spying adventure.

Some of the features that allow Pegasus to secretly spy on your device are listed below.

1. It disguises the malicious service/process it installs on the device with a different name.
2. When the device network is roaming, the spyware does not transmit data to avoid detection.
3. Pegasus makes use of limited device space in order to avoid attracting undue attention.
4. If data cannot be transmitted, it encrypts and retains collected data on the device before erasing it on a first-in, first-out basis to free up space and remove traces.

Why it isn’t banned yet? The tool was created for good human goals, such as tracking terrorist activities, international border attacks, threats to countries from domestic political parties, and keeping an eye on ‘Key People’ who are leaking very sensitive information, among other things. Only Government Officials from each country will be able to purchase Pegasus Subscriptions from the NSO Group. This spyware is not allowed to be used by private companies.

How to Detect the attack? Abnormal activities in the devices like mentioned below can lead to conclusion of been device under attack with the spyware:

1. Your device is using a lot more data than usual on the internet.
2. The device’s battery is depleting at a faster rate than usual.
3. Your device is rebooted at random intervals.

Safeguarding yourself from this attack: Following a cyber-hygiene will work safeguarding against this attack. Some of them are:

1. Never visit or click on unidentified or malicious links or URLs.
2. Avoid using an obsolete operating system or programme. Check for updates and security fixes on a regular basis. The majority of these updates or patches include security bug fixes that improve the security of your device.
3. Never open attachments, files, or programmes from unknown sources. These could contain viruses, malware, spyware, and other malicious software

Conclusion:

I hope we all have a better understanding of Pegasus and spywares in general as a result of this post. Despite the fact that this spyware could potentially target anyone with an Android or iOS smartphone, not everyone is a victim. PEGASUS is a targeted surveillance service that is typically employed against high-profile individuals because it is a costly and time-consuming process.  For more technical information about the spyware samples, execution , detailed report (visit:https://github.com/9aylas/Pegasus-samples )

Compiled by: Vikash Sharma , 7h CS, 2019 Batch , 18162171033