A powerful hacking tool called Pegasus Spyware developed by an Israeli firm and licensed to governments for tracking terrorists and criminals is also used to hack smartphones of ministers, opposition leaders, journalists, the legal community, businessmen, government officials, scientists, rights activists and others, according to an investigation by 16 media partners.
Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems.
The list includes more than 50,000 phone numbers that were concentrated in countries that engage in surveillance of their citizens.
Rwanda features in top 10 countries whose phones appear in the leaks obtained by Amnesty International & Forbidden Stories
The NSO Group says it licenses its Pegasus spyware to track terrorists and criminals. NSO said its customers include 60 intelligence, military and law enforcement agencies in 40 countries, but declined to identify any of them.
Pegasus spyware: how it’s used to hack your phone
Once it has wormed its way on to your phone, without you noticing, it can turn it into a 24-hour surveillance device.
It can copy messages you send or receive, harvest your photos and record your calls. It might secretly film you through your phone’s camera, or activate the microphone to record your conversations. It can potentially pinpoint where you are, where you’ve been, and who you’ve met.
The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.
Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.
These will often exploit “zero-day” vulnerabilities, which are flaws or bugs in an operating system that the mobile phone’s manufacturer does not yet know about and so has not been able to fix.
In 2019 WhatsApp revealed that NSO’s software had been used to send malware to more than 1,400 phones by exploiting a zero-day vulnerability.
Simply by placing a WhatsApp call to a target device, malicious Pegasus code could be installed on the phone, even if the target never answered the call.
More recently NSO has begun exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually updating its software to prevent such attacks.
Technical understanding of Pegasus, and how to find the evidential breadcrumbs it leaves on a phone after a successful infection, has been improved by research conducted by Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab.
“Things are becoming a lot more complicated for the targets to notice,” said Guarnieri, who explained that NSO clients had largely abandoned suspicious SMS messages for more subtle zero-click attacks.
For companies such as NSO, exploiting software that is either installed on devices by default, such as iMessage, or is very widely used, such as WhatsApp, is especially attractive, because it dramatically increases the number of mobile phones Pegasus can successfully attack.
According to the Guardian, Pegasus can also be installed over a wireless transceiver located near a target, or, according to an NSO brochure, simply manually installed if an agent can steal the target’s phone.
Once installed on a phone, Pegasus can harvest more or less any information or extract any file. SMS messages, address books, call history, calendars, emails and internet browsing histories can all be exfiltrated.
“When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so-called root privileges, or administrative privileges, on the device,” said Guarnieri. “Pegasus can do more than what the owner of the device can do.”