The anatomy of spyware: Why Pegasus affects all of us

Security agencies have had their eyes on NSO Group and its Pegasus spyware for some time now. However, in July 2021, it became clear that the Israeli company was enabling governments to spy on journalists, politicians, and human rights activists, among others. The software, which was supposed to be used to fight terrorism, has thus became a powerful tool for totalitarian governments.

Seeing how most of us are not activists or journalists who have nothing better to do apart from reporting on corrupt governments. Still, WhatsApp CEO Will Cathcart warned that the danger posed by Pegasus is not limited to just a small group of people. It's a statement many NextPit readers agreed with.

But why should I worry when I'm not an investigative journalist, a politician, or a human rights activist? Regarding this matter, I spoke to cyber security experts and found out that the danger that Pegasus poses is not limited to just politics or is a symbolic matter.

Rather, in order to understand the true danger behind Pegasus, we will first need to find out just how NSO Group and Pegasus themselves operate. After all, our smartphones are safe, aren't they?

How Pegasus works and what the spyware does

Pegasus is a Trojan program that was discovered by a human rights activist back in 2016. In doing so, his discovery illustrated just how well spyware infiltrates new devices without the victim being any wiser. Ahmed Mansoor received a text message in 2016 that promised him new information about human rights violations according to Citizen Lab. In order to see this scoop, he was supposed to follow a link to a website that was new to him. 

Instead of blindly following, he forwarded the text message to Citizen Lab researchers. From there, they were able to match this individual case to previous cases that were linked to the same domain. In essence, just like a phishing email, NSO Group distributed its spyware via SMS messages. The advantage here lies in the fact that all that is required is the target's phone number and a compelling clickbait.

A visit to the website which Ahmed Mansoor avoided in 2016, would have then immediately triggered a series of so-called "ZETAs". This refers to attacks concerning zero-day exploits - attacks that target a previously undiscovered vulnerability. Strictly speaking, zero-day exploits describe vulnerabilities that are exploited on the day that they are discovered. However, as we will find out later, the exploits used by Pegasus remained vulnerable for a longer period of time.

In 2016, Pegasus exploited three zero-day exploits simultaneously (exact details in the sources), which eventually enabled a jailbreak. On iOS, a jailbreak grants unrestricted access to most features on an iPhone or iPad. This "hidden jailbreak" could hardly be detected by the user. The browser Safari launched briefly before the actual spyware "Pegasus" was installed.

Video tip: Are iPhones insecure because of Pegasus?

This installation had another rather unique result: Pegasus disabled the automatic updates in iOS. This meant that a future update could no longer close the exploited security holes, enabling the compromised device to remain vulnerable.

This was followed by setting up an encrypted connection to an NSO Group server and activating a self-destruct mechanism to avoid being tracked.

At this point in time, it's important to note that in known cases, it wasn't just iOS devices that were affected. Android phones could also be compromised by Pegasus. Instead of a jailbreak, zero-day exploits were exploited to grant root access. What is more exciting, however, is the wide range of data that can be extracted using Pegasus.

Pegasus can read this data from smartphones

If you know a little about iOS and Android, the terms "root" and "jailbreak" would have probably already triggered an uneasy feeling in you. In reality, hardly any door remains closed to an attacker. What allows you to have pretty cool features yourself is not welcome by an attacker.

• How to root Android smartphones: The ultimate guide

Apart from recording conversations, copying the address book and accessing documents and photos, it will also be able to eavesdrop on instant messengers like WhatsApp, Telegram, Signal, and others - an act that made headlines in July 2021. Even protective features such as end-to-end encryption is not much good if attackers are able to pull data from the targeted device using administrator rights.

In a nutshell: If Pegasus has found its way onto your smartphone, you're screwed, plain and simple. This is of course especially critical if your address book contains information about secret informants, whistleblowers, or other important people, as well as information that has been exchanged. 

However, the presence of a spyware like Pegasus also carries consequences that are far less obvious.

This is why Pegasus really does affect "all of us"

While few of us are likely to be direct targets for Pegasus, it should not be dismissed lightly. As a tech journalist, I'm a persona non-grata to the Azerbaijan government, and that's due to one factor apart from the irrelevance of my existence to them: Pegasus is expensive as hell. Thus, the software is not suitable for mass surveillance of entire populations.

But companies such as the NSO Group have been able to attract the attention of states and governments as their customer base, moving very powerful players onto a playing field that otherwise tends to be the domain of cybercriminals, security companies, and developers.

I have highlighted two dimensions that emerged in a conversation with two security experts below on how Pegasus implicates the entire Internet and smartphone user base. Since NextPit is a tech magazine, I'm deliberately not going to venture into the political dimension, which has been discussed in depth since the July revelations. If you're interested in that, I would like to refer you to The Guardian.

Exploit brokering carries grave dangers

Governments and states do not only have a vested interest in information and intelligence, but they also have a lot of money. According to the security company Lookout, a target on the Pegasus monitoring menu costs an average of US$25,000. In one case, NSO Group is said to have sold as many as 300 licenses for a whopping $8 million.

Hence, the company has a multi-million dollar budget at its disposal to buy the aforementioned zero-day exploits on the black market. As Bodgan "Bob" Botezatu, director of threat research at Bitdefender, mentioned to me in passing, this trade is known as "exploit-brokering." Co-brokers like NSO Group have also caused several problems in the process.

One thing is for sure, it reduces the likelihood that a security company or even developers themselves will be able to obtain information about critical vulnerabilities. After all, it's not always ethics that drive hackers and those who discover such vulnerabilities on the web, Bob said in a somewhat cynical manner.

Companies such as the NSO Group, on the other hand, benefit from keeping vulnerabilities open for as long as possible. They do have a vested interest in exploiting the vulnerabilities after all. Even if the NSO Group doesn't make this public, the vulnerabilities remain open. This ensures the public will remain unaware of such exploitable security loopholes, but is also discoverable by other hackers and attackers - resulting in a major security risk.

Hence, while NSO Group is not targeting a large number of users with its customer base, there are certainly companies and attackers who are doing just that. One example that Bob pointed out in a very graphic manner, was the disclosure of a critical vulnerability in the SMB protocol, which is a protocol used to share files over the network.

A subdivision of the U.S. NSA had been using this vulnerability for five years to monitor certain individuals. The exploit, known as "EternalBlue," was eventually stolen by a group who call themselves "The Shadow Brokers" and published it on the web. The NSA was eventually forced to report the vulnerability to Microsoft.

Being innocent doesn't mean never being under suspicion

Bob brought up a second issue that I found to be very interesting concerning Pegasus. As one reader commented in my survey regarding spyware, when it comes to privacy, you often hear the argument that if I have nothing to hide, I'm OK with being spied upon. However, having this attitude can be rather dangerous.

You might happen to be in the wrong place at the wrong time on a trip and you're a potential target for surveillance software. Even if there's no critical information on your smartphone: Pegasus doesn't change the locks on the doors it had to break open during the attack. So Bob warned, "If your smartphone has been rooted or jailbroken, it will remain that way."

So along with suspending software updates, your smartphone remains largely unprotected after a spyware attack. True, governments may only want to look for secret information that you do not carry. But the door is also open to cyber criminals who want your banking information, passwords, and other critical information.

Hence, even if you don't think that you're a target for Pegasus, it's important to protect yourself against such spyware.

How to protect yourself against Pegasus and other spyware

Even after all this doom and gloom, Filip Chytry claims that we need to take a more serious look at the matter. This is because the security expert warned: The outcry in the media about Pegasus is mainly because it involves political personalities and "big names" who are connected to it.

Die Zeit Online reported on 20 July 2021 that even high profile politicians such as Emmanuel Macron or Iraqi President Barham Salih were spied upon with the help of Pegasus. The phone numbers of friends of murdered journalist Jamal Khashoggi were also found on NSO Group's lists.

What does this mean? A whole lot has been reported about Pegasus mainly because it's a good story. It is just the tip of an iceberg that includes many other companies with a similar business model. In this regard, Filip pointed out the FinFisher software, which I won't delve into further for space reasons. However, the topic of FinFisher is really exciting, so feel free to read it at DW if you are interested.

The issues I've addressed in this article, where both security experts mentioned independently in conversation, point to a systemic problem. Once again, addressing your own data privacy is more important than ever.

• Also read: How many Android updates do smartphone manufacturers offer?

Checking whether Pegasus has ever affected your smartphone is not so easy to determine. First of all, you can check whether your smartphone has the latest security updates. If this is not the case, you should be suspicious at the very least.

Amnesty has developed a tool for iPhones to check their backups under MacOS for traces of Pegasus. The entire procedure is a rather complicated one and requires a bit of practice with the Terminal under MacOS. Do you want to learn more about it? Then check out what this article from TechCrunch.

Apart from that, the two security experts both gave one really simple tip: keep your smartphone and the apps installed on it up to date. Procrastinating on updates is a bad idea. But according to our June poll, just a few of you do that religiously anyway. I have compiled Bob Botezatu and Filip Chytry's remaining tips in the following checklist:

Security Checklist: How to protect yourself against spyware

1. Install updates directly whenever they are available.
2. Enable automatic app updates.
3. Check installed APK versions of apps regularly for updates.
4. Before travelling abroad: Check whether there is a new security update. If you are travelling to a country where you are worried about surveillance, get a cheap burner phone that you can throw away afterwards.
5. Never open links from sources you don't trust.

Bob's tip about getting a "burner phone" - a disposable phone, sounds like something out of a Hollywood movie. Considering the consequences of spyware like Pegasus has on the future security of your smartphone, this advice is not so far-fetched after all. Additionally, installing security software on your smartphone will also protect you.

• These are the best Android smartphones under $200

According to Bob, many security solution providers, including his employer Bitdefender, use artificial intelligence to detect anomalies in traffic and the behavior of certain apps. Even if a new spyware remains unknown and the signature is therefore not yet in the databases of security companies, you will receive a warning and can take proactive steps to protect yourself.

Conclusion: Endanger many to protect many?

The existence of spyware such as Pegasus, which is also often referred to as the "Trojan state", points to a contradiction in cyber security. After all, in order to monitor the communications of certain individuals, the security of countless smartphone and PC users is put at risk.

There are not only direct consequences such as the danger of catching a Trojan even on your private smartphone. It's much more the other consequences, like security holes being patched up much later, that affect each and every one of us. Also, feeding a market where zero-day exploits are sold to spyware developers creates more insecurity when it comes to users of operating systems and apps.

Pegasus is an extreme case in this regard, as the surveillance served not only to protect democracy but to secure authoritarian regimes, so the argument that you have nothing to hide as an "innocent citizen" in democratic countries, or that Pegasus is so expensive that only a few parties are able to afford it, doesn't quite count.

"Pegasus affects us all" if not directly, then indirectly where such spyware and exploit trading has on overall cyber security.

---

Sources

• WhatsApp chief on Pegasus: 'It affects us all' - Frankfurter Allgemeine Zeitung
• The Million Dollar Dissident NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender - Citizenlab
• Technical Analysis of Pegasus - Lookout ( PDF file)
• Revealed: leak uncovers global abuse of cyber-surveillance weapon - The Guardian
• Zero-day exploits that Pegasus used in 2016: CVE-2016-4657, CVE-2016-4655, CVE-2016-4656
• Pegasus: Android version of sophisticated state Trojan surfaced - Heise.de
• Overview of articles about the Pegasus project - Suddeutsche Zeitung
• What is EternalBlue? - Avast.com
• Searches: Finfisher allegedly exported state trojans without permission - T3N
• French President Macron targeted by spies - Zeit Online
• Image source: Shutterstock