Earlier this week, it had been reported in the media that Israeli spyware called Pegasus was used to spy on Indian journalists and activists earlier this year. Given the surveillance was carried out by the popular messaging app Whatsapp, it has got the citizens of the country perplexed on how a certain malware can carry out such an act to breach their privacy. Consequently, today we look into the malware pegasus and how it works.
How Pegasus works and what it does?
Pegasus malware is a spyware that has the capability of hacking any Android or iOS-based devices and plunder a myriad of data from the infected device, including Text messages, emails, keylogs, audio and information from applications that are installed on the device, such as Facebook, Instagram and Twitter which are popular with people across the world. If this wasn’t enough the spyware is further capable of recording conversations and videos, as well as snap pictures using the infected devices camera. This malware was created by NSO Group, which is an Israeli Cybersecurity firm that was established in the year 2010.
A spying attack by Pegasus starts with a simple scheme of Phishing. The attackers start by identifying their target and sending them a clickable website URL via social media, email, messages or any other format of messages.
When it comes to an iOS device, once the user clicks on the link sent by the attacker, the malware secretly carries out a series of zero-day attacks, jailbreaking the victim’s device so the spyware can be remotely installed.
The only indication of a malicious attack being carried out is exhibited when the browser closes after the victim has clicked on the link sent by the attacker. Otherwise, there is no new or different indication that anything unusual has happened or any new processes are running within the device.
Once the malware is in place and installed, it begins to contact the operator’s command and control server, to receive and execute the operator’s command.
The spyware has malicious code which enables the user to collect varied information of its victim by spying on what the user does on the device. The malware can access and exfiltrate basic functions of the phone, like email, messages, and calls along with logs from various social media sites and messenger’s like Facebook, Whatsapp, Facetime, Skype, Viber, and Tango.
Unlike any other malware, once Pegasus jailbreaks the victim’s device, it compromised the apps that are already installed on the device and doesn’t replace the app with its malicious versions.
Pegasus for Android does not exploit the zero-day vulnerabilities to root the target device and install the malware, it uses a well known rooting technique called Framaroot. While for iOS, jailbreaking the device is a necessary process. If the zero-day attack fails to jailbreak the device, then the overall attack sequence fails. However, the hackers constructed functionality into the Android version enables the malware to request for permissions so it can extract data if the initial attempt to root the device is unsuccessful.
Taking a look at Pegasus’ history
A human rights activist Ahmed Mansoor from the UAE is credited with the discovery of Pegasus. Mansoor, who is now under imprisonment, received SMS text messages on his iPhone on the 10th and 11th of 2016, promising vital information about those who were tortured in the UAE. Instead of clicking on the link, Mansoor sent the link to researchers of any cybersecurity organization that is based at the University of Toronto. The organization’s research includes digital espionage and hence, recognized that the links belonged to an exploit infrastructure connected to the NSO Group which sells Pegasus and other Spyware.
When Apple learned about the existence of Pegasus it released security updates, patching the three vulnerabilities that Pegasus claimed to have exploited. While google helped researchers investigate the case, notifying potential targets before an attack could be carried out.
To read more, please check eScan Blog
