About Us | Contact Us
View Cart

Pegasus Making You Mega-Sus?

By Tanvee Dhir | Monday, August 16, 2021 - Leave a Comment

If Zero days need Zero clicks, are there any secure devices in the mix?

Tanvee Dhir explores the Pegasus spyware.
Another technical post, meant to inspire thought about IT Governance . . . .

news site on tablet and smart phone


Over the past couple of weeks, we have seen multiple stories regarding a powerful piece of spyware called Pegasus sold by the NSO group, an Israeli cyber intelligence company to multiple governments around the world. A leaked database of thousands of telephone numbers believed to be selected targets of the multiple NSO clients was released, supplemented by additional databases, internal documents, interviews, court documents, and other sources, which form the basis of the Pegasus Project.

Although the reports have just started catching the public eye, a journalism nonprofit Forbidden Stories and Citizen Labs have been closely investigating the NSO group and their operations since 2016. Forbidden stories led a collaborated investigation called the ‘The Pegasus Project’ with 17 media organizations in 10 countries which recently revealed a set of more than 50,000 leaked phone numbers believed to be a list of targets of NSO Group’s spyware in nearly 50 countries. The NSO group claims that it strictly caters to governments and builds Pegasus solely for use in counterterrorism and law enforcement. However, several reports and accusations of a it being used for cyber-surveillance and a tool that has led to possible violation of human rights have popped up around the globe.

What does Pegasus do?

Pegasus is a spyware-as-a-service developed by a private contractor for the use of government agencies. It has a novel mechanism to install and hide itself and obtain persistence on the system. The software infects a target’s phone and replicates its functions while sending back data including messages, photos, and audio recordings to the attacker. It ultimately gives the attacker a higher access to a user’s device than the user itself. The developers of Pegasus market its persistence and stealth operations, which means the software cannot be traced back to the government using it.

Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. What makes it even more scary is its capability of ‘zero-click’ infection which allows the device to be infected even without human interaction i.e., the user does not need to click any malicious links for the malware to be downloaded on their phone. It exploits the OS and application layer security in voice/audio calls and apps including Gmail, Apple Mail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, iMessage and others to craftily download the payload without alerting the user and gaining root access.

Technical Analysis

Tanvee Dhir, Data Security Analyst, infotex

The attack is simple in its delivery and slyly delivers the payload. The target device is simply delivered a website URL (through a range of identified apps) which, once clicked (or zero-click at times), delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. The Pegasus software contains the apps, processes and malicious code that are contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

All modern devices running either iOS or Android even in their latest versions are susceptible to Pegasus infection. A lot of reporting and forensic analysis has been focused on iPhone devices because they have proven easier to analyze. Android being an open source gives the software a better chance at covering their tracks or does not have the logs needed to analyze.

The malicious links and C&C servers related to Pegasus were discovered to use HTTPS which requires operators to register and maintain domain names. The domain names for the exploit links were found to be impersonating mobile providers, banks and government services which can be initially overlooked as benign.

In response, NSO and their legal team claimed that the released list of numbers looked more like a public list of HLR (Home Location Register) data. HLR data is essentially a database kept by mobile phone companies that allow a real time query of a subscriber’s information. Security researchers argue that HLR lookups have long been used in surveillance of mobile phones because they indicate whether the phone is on, and thus available for hacking, and are also believed to be integrated into the functionality of the Pegasus software.

A detailed technical analysis released by Lookout gives an in-depth examination on how the spyware operates in all stages. Another report, released by Amnesty International, outlines various forensic traces found in the devices post-infection. Citizen’s Lab, which is also a key member in the discoveries related to Pegasus, developed Internet scanning techniques to identify 45 countries where Pegasus operators might be functional and abusing the spyware to target civil society. Based on the geographical placement of the numbers, the investigators were able to identify potential NSO clients in 11 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

Investigation at a glance

The Pegasus Project identified over 1,000 phone numbers and linked them to their owners, which included a range of politicians and government workers (including 3 presidents, 10 prime ministers and a king), 189 journalists, and 85 human rights activists. Amnesty International’s security lab, as the technical support to the Pegasus Project, examined data from 67 phones from the list. 37 of these devices showed forensic traces of Pegasus network activity, out of which 23 were successfully infected and 14 had traces of attempted targeting. The remaining devices had inconclusive results due various factors including insufficient data or replaced devices.

NSO Group’s clients mostly selected people from their own countries for targeting, but they did occasionally target foreign numbers, including those belonging to politicians and journalists. As mentioned in a blog by OCCRP:

“In many of these cases, the phone numbers identified were consistent with persons of interest to governments, including both legitimate security threats like terrorists and hundreds of independent journalists, dissidents, and members of the political opposition.  Furthermore, some of these numbers appeared on the list during time periods corresponding to real world events — such as elections, arrests, or the release of compromising private information — in ways that suggest a correlation with the data.”

There is no hard evidence of where and how the list originated or how it was used. There are hundreds of phone numbers included which may have no traces of infection at all or where an attempted infection was successful. In other words, just because a number was included in the list doesn’t necessarily mean it’s compromised.

Over the coming weeks, the coalition of media partners of The Pegasus Project – including The Guardian, Le Monde, Süddeutsche Zeitung and The Washington Post – will be running a series of stories exposing details of how world leaders, politicians, human rights activists, and journalists have been selected as potential targets of this spyware. The Frontline also has a live blog covering the global stories from all the media partners in the Pegasus Project.

What can you do?

Amnesty International released a tool called the Mobile Verification Toolkit (MVT) along with identified Indicators of Compromise to analyze the device for possible Pegasus infection. Due to the advancement of the hack to achieve zero-click access, there are only a few things a user can do. Keeping the OS and applications up to date is the primary requirement as the spyware looks to exploit any available vulnerability on the device. The primary method of infection still remains malicious links and phishing attempts hence we should always practice caution while clicking on unknown links and downloading unknown applications.

Original article by Tanvee Dhir CEH. Data Security Analyst, infotex



Latest News
    What you need to know for compliance coast-to-coast. Back in 2020 we posted an article containing links to data breach laws from each state, and it has proven to be one of our more popular posts.  Because laws surrounding the use (and abuse) of technology are always evolving, we thought it was worth taking another […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! In the spirit of October and Halloween we have put together a gallery of our “spooky” Awareness Posters at halloween.infotex.com. Use them to help decorate for the holiday! Check […]
    With nearly three in four people using third-party payment services tied to their bank accounts, the risk isn’t limited to your own policies and procedures… An article review. When working on cybersecurity awareness messages for your customers you may be inclined to focus on your own systems, but a new study on security in digital […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex is excited to announce that Cody Smith has joined the team as the newest Data Security Analyst. Cody holds several industry certifications (including the most recent: SSCP) as well as a B.S in Cyber Security & Information Assurance from Western Governors University. […]
    It’s all about protecting Customer information . . . In 1999 the Gramm-Leach-Bliley Act (GLBA) directed the Federal Deposit Insurance Corporation (FDIC) and other federal banking agencies to ensure that financial institutions have policies, procedures, and controls in place to prevent the unauthorized disclosure of customer financial information.  The FDIC and other federal banking agencies […]
    A Ghoulish Gallery! Just a few scary-themed Awareness posters from our collection, which you can see at posters.infotex.com! Below you will find both the vertical and horizontal versions of each of the posters, all you need to do is “right-click > “Save link as…” to download! Vertical 8.5″ x 11″ Format   Horizontal 11″ x […]
    What to Expect in an Annual Information Security Report to the Board Webinar-Movie Information security ranks as a top risk to financial institutions, both in terms of likelihood and overall impact. It is important that boards receive annual comprehensive reporting from management about the information security risks and incidents, and the actions taken to address […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    With the potential to break all existing forms of encryption, quantum computing poses a unique challenge… An article review. While quantum computing has been a buzzword for some time now the technology remains largely theoretical, with small scale proofs-of-concept that still suffer from serious limitations.  That hasn’t stopped security researchers from worrying about the technology’s […]
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]