Unstoppable Zero Click Attack-Project Pegasus
If ransomware weren’t enough, here comes a new malware in town. It’s called Pegasus and is referred to as the “ultimate spyware for iOS and Android,” and even the most “sophisticated attack ever seen.” It reportedly sends user data to the attackers and can be installed with just a missed call from apps like WhatsApp. But just like every cloud has a silver lining, there is a possibility that you and I might never fall victim to this spyware.
Before we begin to dissect, this spyware, let’s learn what spyware is.
What is Spyware?
Spyware is a type of malicious software (or malware) that gets installed on a device (could be a computer or a smartphone). And invades the device by stealing sensitive information from the device and relays it to advertisers, data firms, or even an external user (which we’ll call an attacker here).
Spywares have become so stealthy and sophisticated these days that they can even evade modern anti-virus softwares.
History and development of Pegasus
NSO Group, an Israeli technology firm, developed Pegasus. which claims that it “creates technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
In brief, it creates malicious applications/softwares that can help the government and law enforcement agencies to provide direct remote access to mobile phones and their content.
The first instance of Pegasus was captured by researchers in 2016 and revealed that it unsuccessfully attempted an attack on the device of UAE human rights activist Ahmed Mansoor.
In Sept 2018, The Citizen Lab, a Canadian Cyber Security Firm, published a comprehensive report that 45 countries are using this spyware to spy on human rights activists, journalists, etc.
When questions were raised, the NSO group answered that it neither keeps the data of the individuals nor can reveal the name of the organizations that buy it from them. It is reported that the malware comes with an annual fee of about 7 to 8 US million dollars.
How can you get infected?
The chances of you getting infected, unless you are an individual of concern to an organization, are pretty low.
The reason being that it can target only up to 50 phones at a time, so unless you are a threat to someone, no one will buy this malware by burning 8 million dollars to snoop on you.
But coming to the point, a hacker would typically try to infect a victim’s device (with Pegasus) by sending him a phishing link, which upon clicking will automatically download Pegasus. Reports claim that the newer version can also be downloaded by calling an infected device (or even with a missed call) using apps like WhatsApp.
Upon being downloaded, it will set up a connection with a command center (aka the hacker) which can then issue commands.
Based on the hacker issues, it can gather vast amounts of information from the victim’s device. It can include passwords, contact lists, calendar entries, and even your encrypted text messages and live voice calls. It can automatically open your camera and turn on your microphone, thus spying on your live.
But you’ll argue that WhatsApp calls and texts are end-to-end encrypted. Well, Pegasus sends your data before it is encrypted by the device (if the sender’s device is infected). And after the data gets decrypted (if the receiver’s device is infected), thus eliminating end-to-end encryption from the picture.
Malicious applications like Pegasus leverage zero-day vulnerabilities to get root-level access to your devices, which means that they’ll have more control over your device than you technically.
There are two versions of this spyware. One is called the classical version, while the other is the newer version that just surfaced and made it to the headlines. Your mobile phone is safe from the classical version, but you need to be cautious about the newer version. A few reports claim that android (Google) and Apple have fixed the vulnerabilities in their android 11 and iOS 14 versions, respectively. But Citizen Labs’ Bill Marczak confirmed that it was still operational in iOS 14.6 devices. Pegasus leveraged a zero-click iMessage exploit to install itself.
But here are 2 points that could be helpful to you if you think that you could be a victim.
- It can self-destruct if it cannot communicate with the control server (aka the hacker) within 60 days of its installation.
- If installed on the wrong device (it uses the SIM card number to identify its victims), it’ll automatically delete itself. Hence proved that it is used to spy on targeted victims.
Want to learn more about security and hacking, then follow Security Lit. We release weekly podcasts to help you figure out your way into the industry.