Pegasus is a spyware that has apparently been in use since 2013. It’s capabilities are constantly evolving, using new zero day exploits, often in potent combinations to get into a device and stay there. Digital forensics expert Nikhil S Mahadeshwar, Co-founder & CTO of Skynet Softtech tells us, “the Pegasus spyware is a software originated from an Israel private organization known as the NSO Group. This group has created global headlines as it sparked a lot of political controversies.”
The methods used to get on the device can range from spear phishing attack, where a malicious link is sent over email to a missed call on an instant messaging app that does not require any interaction from the user, the so-called zero-click intrusion. Venkat Krishnapur, vice-president of engineering and managing director, McAfee Enterprise India explains, “A spyware can take multiple routes to reach a target’s phone. Pegasus – which is a spyware, in particular, has evolved from the traditional socially engineered form, where victims would need to click on a link and download the spyware, to a ‘zero-click’, highly sophisticated version requiring no user interaction. The ‘zero-click’ avatar exploits ‘zero-day’ vulnerabilities that are common in the OS or applications. Zero-day vulnerabilities are defects or holes in the software that are yet undiscovered and unpatched by the creators of the software. These are typically introduced due to poor coding during the software development phase.”
The NSO group offers the Pegasus platform as a product that is in active development, and as such is a cyber weapon, one that constantly adapts and exploits new and undiscovered vulnerabilities. Krishnapur gave us some insight on what it takes to keep such a product in development, “highly trained and experienced researchers work to just identify flaws in the software that are not yet known to the vendors and once the hole is discovered, an exploit mechanism that enables potentially complete access to the operating system and the device is developed. This is then used across popular applications such as WhatsApp or IMessage, for instance. As an example, a skilfully crafted message to your phone, is sufficient to cause an exploit of the discovered vulnerability, resulting in the device being completely taken over by the spyware.”
These are among the most sophisticated tools that you can see, where the attacker uses the most up to date and cutting edge tools to get a foothold on the system. Krishnapur tells us, “think of it as a thief in the real world who goes around a home that is locked looking for openings (research) and finds an open window that someone forgot to lock (vulnerability enabling ‘zero-click’ – no need to knock on the door). It is an open sesame post that, and what the thief can do inside the home is left to anyone’s imagination (exploit).”
Once Pegasus gets a foothold on the device, it becomes a persistent and modular platform. A remote operator can then snoop into all the calls, messages, photos, GPS and the data flying between the social media, email and instant messaging apps.
The persistence also allows remote commandeering of the mic and camera on the device. A Pegasus operative can access the plaintext messages before the instant messenger apps encrypt them and send them across to the recipient. Krishnapur explains, “once installed, Pegasus can set up shop within the phone, harvest almost any information or extract any file, messages, address books, call history, calendars, emails, and internet browsing history and transmit it back to its controllers through anonymised network servers. Instead of attempting to eavesdrop on data flowing between two devices, which will most likely be encrypted, Pegasus lets its deployers hijack and commandeer the device itself, obtaining access to everything on it.”
To the infected user, the instant messaging apps work as intended. As Krishnapur says, “cyber weaponry has come a long way, with Pegasus now considered one of the most advanced Android and iOS spyware to have ever been created. The stealth and self-destruction mechanisms through fileless operations, makes it a sophisticated and a formidable cyber weapon from a counter surveillance standpoint. It is a modular malware, malicious and untraceable, dubbed to be the ‘ultimate surveillance tool’.” Pegasus itself encrypts all the data that it uses, and actively tries to avoid detection using code obfuscation, and can wipe itself from the system if needed. This makes it difficult to detect using typical counter surveillance tools. Mahadeshwar says, “Pegasus is a type of spyware that is highly sophisticated in nature. The spyware can access your phone, whether Android or iOS. It has been known to attack even the latest versions of these smartphones. The various ways in which Pegasus attacks your smartphone includes detecting zero-day vulnerability and taking advantage of that, and as it gets into your phone, it can gain access to all your information, like contacts, call logs, microphones, and WhatsApp chats. Physically, the phone will be between you, but virtually it will belong to someone else.”
The Citizen Lab has been tracking the spyware since 2016, when a threat actor known as Stealth Falcon put up a homepage with a link directly into Pegasus infrastructure, exposing the spyware in the process. We asked Mahadeshwar what are the implications of an infection, “Pegasus spyware can extract all of your data because it can be planted via an attacker or by a hacker who is hired. Moreover, the data can be taken by the hacker or the hosting provider whose servers are hosting the data. If spyware is installed on your device, it can expose all your private data, including your identity, your text messages, and financial details such as your bank account and other banking details, resulting in reputational damage and financial losses.”
Cyberlaw expert Adv. Prashant Mali gave us some simple tips on how all of us can protect ourselves from spyware such as pegasus. “Update your phone OS. Watch your data consumption. Keep a check in spite of turning off your data connection, to see if it gets turned on automatically after some time. You can use the tool kit given on Amnesty International website to detect whether your phone is infected or not.”
As Apple pushes out the security updates to users directly, while the Android patches for vulnerabilities are staggered through device manufacturers as well as telecom service providers, there are more droids with vulnerabilities that both the malware use for infection and the forensic tools use for the purposes of data extraction. This also makes it harder to detect Pegasus on an Android device, so the toolkit uses the approach of scanning the messages for suspicious links, and the installed apps themselves. The toolkit posted on the Amnesty International website is developed in collaboration with the researchers from Citizen Lab who have been tracking this spyware for years.
To go ahead and check your own device for signs of tools such as Pegasus, it is necessary to do a forensic analysis of the phone, and extract the data. For the purposes of detecting cutting edge spyware that uses new vulnerabilities, it is necessary to audit all the data on the device, the bits sent between apps, the bits sent to the cloud, and all the bits on the flash memory, even the traces of deleted files. A logical extraction uses the internal language of the device itself, to get some kinds of data in realtime from the app such as messages, calls and the data used by apps. This can be a dump of all the messages and call logs. A file system dump of a device is a copy of all the data and information in a device, as it is stored. Then there is a physical extraction, which is an exacting copy of the memory of the device, allowing for recovery of deleted files such as notes, recordings and images. If the device uses password protection and encryption, then a lot of the data would not be accessible without the passcodes to get past the locked data. The simplest way to test an iOS device is to use an encrypted backup of the device, which is run through the command line tool available on GitHub (https://github.com/mvt-project/mvt).
To make the backup, you have to go through the painful procedure of installing iTunes on the machine, and making an encrypted backup of the device from File > Devices > Backup. For the purposes of detection using the Mobile Verification Toolkit (MVT), it is better to encrypt the backup rather than not, which actually stores the encrypted data from the phone on the machine. Without this option checked, there is a smaller file size, but without all the data needed for MVT to scan. You will need to enter in a password that you have to remember for that particular encrypted backup, and use the passcode to unlock the phone tethered to the computer during the backing up process. Once you have the backup ready, you have to access it through a CLI where you can actually use MVT. There are several ways this can be done. The best way to do this is with a Mac or Linux machine, although a Windows machine with Windows Subsystem for Linux or VirtualBox works just as fine. Another quick fix is to use a USB drive with sufficient space on it and install Linux on it, flashing a Linux Mint ISO using the Balena Etcher is a good option. One of the simple ways to load the backup into a Linux instance is to use an ISO file and mount it as a disc. Either way, once you have access to the backup in a Linux terminal, you have to install python, then the MVT, and scan the backups. For Android devices, the methodology is simple, connect the device to the machine with a terminal, put it in developer mode, and let the software do the work. MVT flags detections of Pegasus at this point, but at that point it is a bit too late. When it comes to spyware, the principle of “prevention is better than cure” applies.
So what does a user do when an infection is detected? Krishnapur tells us, “Once a device is taken over by Pegasus, there’s very little a victim can do because it is a zero-day attack with user-less interaction, in-memory (stealth), self-destruction, encryption and persistence capabilities – all phenomenal features that make it extremely hard to detect. Given that Pegasus exploits previously unknown loopholes in apps, devices cannot be protected by traditional means. A patch is needed to fix the vulnerability and till it is known and patched, it is that window of opportunity that is being exploited. Another aspect is that since it has significant persistence capabilities where it lives even after a factory reset, not using the infected phone is the only other way to prevent attack – and that requires one to even know there is an issue in the first place.” Mali also told us to junk or refresh the device, “I feel phone formatting and reinstalling the OS at the service centre is the better option. Apps like ‘Lookout’ can help to detect the Pegasus spyware too.”
Mahadeshwar also told us how to be careful of infections by a wide range of spyware, including Pegasus, “beware of phishing links, which are basically suspicious links that, once clicked upon, hacks the user's phones. Install a robust cybersecurity app and ensure that it is updated. One simple way is to have a pin enabled lock system, or better, a fingerprint enabled lock system, which helps to limit the physical access to the device. Open Wi-Fi connections can be a huge source of attack by hackers. One of the simplest things you can do is use apps that ensure you are connected to a reliable Wi-Fi Security network. You can use data encryption to protect your confidential files from being attacked and encrypted by hackers.”
The Citizen Lab tracks threat actors around the world known to use the spyware, and while there is a threat actor in the subcontinent codenamed Ganges, the platform comes at a very high price. Each installation or infection is charged, and the reported rates in 2016 varied from around $25,000 (Lookout) to $65,000 (NYT). It is still expected to be incredibly expensive, though the tracked threat actors seem to buy batches or bundles of licenses, the platform is only available to world governments. When we asked how worried should a regular user in a non critical job be of such spyware, Mali told us, “take it from me, installing, monitoring Pegasus is a costly affair which any government will not spend on the common man, if you are a common man like me don’t overthink, and don’t worry. If you are special just get a new phone and don’t click on sms with links without confirming the links on virustotal.com website.” Krishnapur was reassuring when it came to an infection by Pegasus being unlikely, but warned us about other malware, “most people are unlikely to be targeted by this attack (Pegasus) and there are still simple steps to minimise potential exposure — not only to Pegasus but other spyware too. Best practices and basic due diligence can be followed, such as - not clicking on unverified links or downloading files from an unknown sender, regularly installing device patches and upgrades, encrypting device data and enabling remote-wipe features, not visiting websites that don’t use the HTTPs protocol and avoiding use of public and free Wi-Fi services when accessing sensitive personal information.” Krishnapur goes on to explain, “While the threat is undoubtedly real, one should understand that it is not very commonly distributed like typical viruses and trojans. It requires significant time to find security holes and takes effort to build the spyware such as Pegasus. Also, such spyware is usually targeted to minimise detection and maximise impact and hence mostly low risk to most common users.”
While Pegasus is an extremely targeted threat, the run of the mill ransomware, malware and spyware that spread a wider net are an escalating threat in times of rapid digitisation. Mahadeshwar tells us, “cybercrime has become a huge nuisance since the pandemic began. While everyone is dependent on the work from home scenario, the dependency on technology has increased significantly.” Krishnapur also told us about spyware in general being extra malicious, “when it comes to spyware in particular, threat actors have evolved their techniques to break through strong defence mechanisms which are programmed into most anti-spyware security solutions. Some recent attacks have demonstrated that endpoints running on legacy or unpatched Windows OS are highly vulnerable to spyware attacks. In the wrong hands, such advanced spyware could be used to exploit and gain access to sensitive data that is crucial to national security and governance, having implications that are far beyond a traditional breach.” So the important things for users to keep in mind to protect yourself from spies on your device, is keep your devices updated, and don’t tap on fishy links.