You might have heard about Pegasus spyware – a malicious app that infects phones, then accesses and leaks the victim’s data:
- it can record video and audio by using the hacked phone’s camera and microphone,
- it can see what web pages the victim visits and read the content of those pages, including passwords and personal messages,
- as Pegasus infects a phone, it gets around encryption such as that used by privacy-focused messaging apps.
Forbidden Stories posted a new investigation into some of the victims of Pegasus. Amnesty International shared technical observations of Pegasus spyware.
Amnesty International released a kit to check if your Android or iOS device was infected with Pegasus. It’s called Mobile verification Toolkit (MVT) and it can be found on Github. It’s a little technical to use, The Verge put out an article with more detailed instructions. It’s not 100% sure, though – the tool is more accurate on iPhones than Androids.
How does Pegasus infect devices?
According to Amnesty International’s earlier reports, Pegasus infections tended to begin with spontaneous browser redirects. The victim would try and open a website, but their browser would open another one. This was possible when browsers (and other apps) tried to open unencrypted (HTTP instead of HTTPS) connections. For this attack to work at all, attackers need to access the network used by the victim.
This is from a 2019 article by Amnesty International:
In this case, because the targeted device is an iPhone, connecting through a mobile line only, a potential vantage point could be a rogue cellular tower placed in the proximity of the target, or other core network infrastructure the mobile operator might have been requested to reconfigure to enable this type of attack.
Short messages and notifications
Back in 2017, Pegasus was seen spreading via malicious links in SMS, WhatsApp, iMessage messages. The victim would click on the malicious link and that would allow spyware to be downloaded.
From 2018 until July 2021, zero-click attacks were seen. The Washington Post wrote (soft paywall) described what a Pegasus infection looks like, or rather, how scarily invisible to the victim it can be.
Zero-click means that the victim doesn’t need to do anything to get infected with Pegasus. The attacks start with notifications from malicious addresses (unknown users are able to send messages to iMessage) and there is nothing that the victim could do to notice or stop it.
These zero-click attacks were exploiting unpatched vulnerabilities, also known as zero-days, present in fully updated iPhones. This means that having all the latest updates didn’t protect the victims.
How to protect yourself against Pegasus?
To remove Pegasus from iOS devices, it should be enough to reboot your device.
It also helps to avoid clicking on unknown links and to install security updates as soon as they come out. If attackers are determined to infect your device, they probably won’t be stopped. After Apple patches these specific vulnerabilities, new ones may be discovered. Social engineering (deception, impersonation, manipulation) may also be used by the attackers.
After the Pegasus news came out, Apple was criticized for presenting iPhones as devices that protect the privacy of their users. But there is never a guarantee that a device or application can withstand a focused, determined attack by a professional malicious actor. If your computer or phone can run general software, it can run malicious software.
It’s good to remember that Pegasus is targeted. It’s sold to governments by a private company (NSO) to spy on terrorists and criminals. It’s also abused by governments to keep an eye on investigators, journalists, their friends and families.
The good (though bittersweet) news is that, if you’re not being targeted by your government, then you probably don’t need to fear Pegasus spyware.