What is Pegasus spyware and how does it hack phones?

NSO Group software can record your calls, copy your messages and secretly film you

It is the name for perhaps the most powerful piece of spyware ever developed – certainly by a private company. Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device. It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met.

Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems.

The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.

Since then, however, NSO’s attack capabilities have become more advanced. Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed. These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.

In 2019 WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones by exploiting a zero-day vulnerability. Simply by placing a WhatsApp call to a target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call. More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.

Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection, has been improved by research conducted by Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab.

“Things are becoming a lot more complicated for the targets to notice,” said Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks.

For companies such as NSO, exploiting software that is either installed on devices by default, such as iMessage, or is very widely used, such as WhatsApp, is especially attractive, because it dramatically increases the number of mobile phones Pegasus can successfully attack.

As the technical partner of the Pegasus project, an international consortium of media organisations including the Guardian, Amnesty’s lab has discovered traces of successful attacks by Pegasus customers on iPhones running up-to-date versions of Apple’s iOS. The attacks were carried out as recently as July 2021.

Forensic analysis of the phones of victims has also identified evidence suggesting NSO’s constant search for weaknesses may have expanded to other commonplace apps. In some of the cases analysed by Guarnieri and his team, peculiar network traffic relating to Apple’s Photos and Music apps can be seen at the times of the infections, suggesting NSO may have begun leveraging new vulnerabilities.

Where neither spear-phishing nor zero-click attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target, or, according to an NSO brochure, simply manually installed if an agent can steal the target’s phone.

Once installed on a phone, Pegasus can harvest more or less any information or extract any file. SMS messages, address books, call history, calendars, emails and internet browsing histories can all be exfiltrated.

Explainer graphic grey version

“When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device,” said Guarnieri. “Pegasus can do more than what the owner of the device can do.”

Lawyers for NSO claimed that Amnesty International’s technical report was conjecture, describing it as “a compilation of speculative and baseless assumptions”. However, they did not dispute any of its specific findings or conclusions.

NSO has invested substantial effort in making its software difficult to detect and Pegasus infections are now very hard to identify. Security researchers suspect more recent versions of Pegasus only ever inhabit the phone’s temporary memory, rather than its hard drive, meaning that once the phone is powered down virtually all trace of the software vanishes.

One of the most significant challenges that Pegasus presents to journalists and human rights defenders is the fact that the software exploits undiscovered vulnerabilities, meaning even the most security-conscious mobile phone user cannot prevent an attack.

“This is a question that gets asked to me pretty much every time we do forensics with somebody: ‘What can I do to stop this happening again?’” said Guarnieri. “The real honest answer is nothing.”

Contributors

David Pegg and Sam Cutler

The GuardianTramp

Related Content

Article image
Edward Snowden calls for spyware trade ban amid Pegasus revelations
NSA whistleblower warns of world in which no phone is safe from state-sponsored hackers if no action taken

David Pegg and Paul Lewis

19, Jul, 2021 @2:00 PM

Article image
Pegasus spyware found on journalists’ phones, French intelligence confirms
Announcement is first time an independent and official authority has corroborated Pegasus project findings

Kim Willsher in Paris

02, Aug, 2021 @2:16 PM

Article image
Israel to examine whether spyware export rules should be tightened
Commission to review claims NSO’s Pegasus was misused by customers to target journalists and activists

Peter Beaumont and Philip Oltermann

22, Jul, 2021 @3:45 PM

Article image
Pegasus project turns spotlight on spyware firm NSO’s ties to Israeli state
Disclosures about political figures put Israel under increasing pressure over extent of surveillance

Stephanie Kirchgaessner in Washington, Oliver Holmes in Jerusalem and Shaun Walker in Budapest

20, Jul, 2021 @11:00 AM

Article image
Pegasus: NSO clients spying disclosures prompt political rows across world
Concerns that phone-hacking software may have been used to spy on political opponents spark fury

Nina Lakhani, Michael Safi, Dan Sabbagh, Shaun Walker, Stephanie Kirchgaessner and Hannah Ellis-Petersen

20, Jul, 2021 @9:31 AM

Article image
EU commissioner calls for urgent action against Pegasus spyware
Didier Reynders condemns hacking of political opponents and journalists and says bloc closely watching Hungary investigation

Daniel Boffey in Strasbourg

15, Sep, 2021 @3:49 PM

Article image
Demonstrations and inquiries: the global impact of the Pegasus project
Worldwide concern over the use of invasive spyware sold to autocratic regimes

Reporting team

23, Jul, 2021 @1:09 PM

Article image
Dalai Lama’s inner circle listed in Pegasus project data
Indian government, which hosts the Tibetan leader, suspected of being NSO client that selected numbers

Michael Safi

22, Jul, 2021 @11:00 AM

Article image
Democrats call for possible action against NSO over Pegasus revelations
Four Democrats in Congress tell Biden administration that such firms ‘should be sanctioned, and if necessary, shut down’

Stephanie Kirchgaessner in Washington

27, Jul, 2021 @1:52 PM

Article image
US voices concern with Israeli officials about Pegasus revelations
Top Biden administration official reportedly raised questions about spyware sold by NSO Group

Stephanie Kirchgaessner in Washington

30, Jul, 2021 @12:10 PM