Unmasking Pegasus Spyware: The Invisible Threat to Activists, Journalists, and Whistleblowers

What is Pegasus?

Pegasus is a highly sophisticated surveillance tool developed by the Israeli cyber intelligence firm NSO Group. It is designed to covertly infiltrate iOS and Android devices to gain complete access to its data and functionalities. It is referred to as “spyware” due to its ability to surreptitiously gather information and monitor its targets without their knowledge or consent.

The tool can secretly access personal information, monitor communications, and record activities. The official line from NSO Group is that Pegasus is a tool for combating crime and terrorism. Still, it has already gained notoriety for its misuse by governments, security agencies, and cybercriminals alike.

Where did Pegasus come from?

Pegasus was developed by the Israeli technology firm NSO Group. Founded in 2010, NSO Group specializes in the development of advanced surveillance and intelligence-gathering tools for government and law enforcement agencies. Pegasus spyware is the company's flagship product and was designed to provide governments with powerful capabilities for combating terrorism, organized crime, and other security threats.

That's the official line at least.

NSO Group has stated that it sells its products exclusively to authorized government entities and operates under strict export control regulations to ensure its technology is not misused.

However, there are multiple reports of Pegasus being used against individuals not involved in criminal activities, with tragic and even fatal consequences.

Even if NSO Groups do only sell to government entities, not every government has good intentions. Once NSO gets their paycheck, and it hands over the spyware then they have little control of how it is used and who it is targeted at.

We'll look at some instances of Pegasus misuse and the resulting infringement on human rights a little later. For now, let's delve deeper into the workings of the Israeli-made spyware.

How does a Pegasus attack work?

In the beginning, Pegasus was delivered to devices via smishing attacks. The targets were sent an SMS containing a link infected with malware. If the target clicked the link, their device would be automatically and silently infected with Pegasus, without their knowledge or consent.

But as the public caught on to smishing scams, NSO Group moved to the more sophisticated method of “zero-click exploits”.

Zero-click exploits rely on existing vulnerabilities in popular apps that may be on the target's device— apps such as iMessage and WhatsApp for example.

On finding a vulnerability, Pegasus will use the app's protocol to infiltrate the device, meaning no interaction from the target is required. They don't have to open a message, answer a call, or click on a dodgy link. There won't even be any indication that anything has taken place. No missed calls, or random messages. It's all done in the background which makes Pegasus spyware detection so difficult.

The other, but more difficult way to infect a device with Pegasus is with “network injections”.

This is when the Pegasus client waits for the target to visit an unsecured website as part of their normal online behavior. Once there, Pegasus can be “injected” into their device. But this method requires constant monitoring of the target's online activity.

It's harder but certainly not impossible. It's usually achieved via the target's mobile operator, which some, especially authoritarian governments, control or can easily access.

If the target is outside the government's jurisdiction, then that method is more difficult. This is why the zero-click approach is the “preferred” attack vector. But whichever way it's done, it happens in a matter of milliseconds.

What can Pegasus do?

Pegasus features an undetectable keylogger allowing it (and the client operating it) to see everything a user types, including passwords. But this is just the tip of the iceberg. Once Pegasus infects a target's device, the sophisticated spyware can:

• remotely activate the device's camera and microphone
• record conversations
• capture screenshots
• track GPS locations
• access contacts and call logs
• read messages and emails
• extract various other forms of sensitive data

The spyware covertly transmits the extracted data to the operator's remote servers for analysis and monitoring. Basically, it allows its operator to monitor and track the target's every move.

Pegasus controversy

Pegasus' capabilities and its widespread use (and misuse) have sparked global debates on the balance between national security, law enforcement, and individual privacy.

Governments and technology companies alike have faced increasing pressure to address the potential threats posed by such powerful surveillance tools and to implement robust safeguards to protect individuals from unwarranted intrusion.

In 2022, the European Data Protection Supervisor (EDPS) called for the spyware to be banned saying that its use would lead to an "unprecedented level of intrusiveness, able to interfere with the most intimate aspects of our daily lives."

Even data-hungry Google has called upon the US government to take a stand against NSO Group. When Google is outraged by the privacy violations of other companies, then you know things must be bad!

In January 2023, Meta was granted permission by the U.S. Supreme Court to sue the Israeli company for exploiting a bug in the WhatsApp messaging app. The zero-click attack allowed the installation of the spyware to devices of 1,400 people, including journalists, human rights activists, and dissidents.

Other industry experts have voiced their concerns and opinions about the Israeli-made spyware. Timothy Summers, a former cyber engineer at a U.S. intelligence agency, told reporters that it “is nasty software – eloquently nasty.”

While NSA whistleblower, Edward Snowden has condemned NSO Group as being the “worst of the worst” adding that commercial spyware is an industry that should not exist.

But if the spyware is intended for catching criminals and stopping acts of terrorism, then why such an outcry?

The Pegasus Project

The Pegasus Project was a major investigative journalism initiative that came to light in July 2021. It involved 80 journalists from 17 media organizations, including The Guardian, The Washington Post, and several other international outlets, from 10 different countries.

The collaboration led by the nonprofit organization Forbidden Stories and Amnesty International revealed the widespread use of Pegasus by various governments and state actors to target journalists, human rights activists, lawyers, politicians, and other individuals of interest.

The investigation identified potential NSO clients in 11 countries, including Armenia and Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the United Arab Emirates (UAE).

More recent investigations have also found evidence of Pegasus being used against journalists and activists in the Dominican Republic, Spain, and Thailand.

NSO Group denies the allegations and claims that the reporting is based on wrong assumptions and uncorroborated theories.

Let's take a look at a couple of the most high-profile cases from the report.

Jamal Khashoggi

Jamal Khashoggi was a Saudi dissident, author, and columnist for Middle East Eye and The Washington Post. He was in self-imposed exile, living in the United States but in October 2018, he traveled to Istanbul to visit the Saudi Consulate to attain documents to marry his fiance.

He entered the consulate on October 2nd and was never seen or heard from again. Khashoggi was assassinated inside the consulate by agents of the Saudi government, allegedly following orders of Crown Prince Mohammed bin Salman.

His brutal and shocking murder, (he was tortured and dismembered inside the consulate) is thought to be a direct result of a Pegasus attack.

In the months leading up to his assassination, Khashoggi was in daily contact with fellow Saudi dissident Omar Abdulaziz. Abdulaziz's phone was infected with Pegasus, meaning that all of their conversations were compromised. On learning this, just months before his fateful consulate visit, Khashoggi had written: “God help us.”

The Pegasus Project also found that devices belonging to multiple members of the Khashoggi family were also infected with the spyware.

Cecilio Pineda Birto

Cecilio Pineda Birto, a freelance reporter in Mexico, was shot dead on March 2, 2017, just hours after he made a broadcast on Facebook Live accusing state police and local politicians of colluding with a violent local crime boss.

Pineda's phone disappeared from the crime scene so it wasn't possible to confirm whether it was infected with Pegasus spyware or not.

Being a journalist in Mexico is notoriously dangerous and Pineda had received multiple death threats over the years. But it wasn't until his phone number was flagged as a potential Pegaus target by a Mexican client of NSO Group that the threats finally became reality.

Of course, it could be a coincidence.

There are other ways that Pineda's whereabouts could have been known.

However, an investigation by The Guardian suggested that “Pineda was selected as a possible target by Mexico's Ministry of Defence, NSO's first client.”

How to protect yourself from a Pegasus attack?

If you're a journalist, activist, whistleblower, or simply anyone with a strong opinion that doesn't conform to the ruling narrative, you might be wondering what you can do to protect your device, your information, and yourself from Pegasus, and the clients operating it.

The bad news is, there is currently no way to completely defend against Pegasus.

Traditional anti-virus programs are pretty much useless in Pegasus spyware detection. And no matter what encrypted messaging app you use to communicate, Pegasus will render it useless. The client will see your messages before they are encrypted and sent, and see any replies you receive.

Keeping your device's operating system up to date can help reduce the risk, as they often contain patches for known vulnerabilities. Another effective option is to go low-tech. But this isn't exactly convenient, especially if you need your phone to do your job.

The truth is, a Pegasus attack can happen in mere seconds without warning. It can happen through an app vulnerability that you (and maybe not even the app's developers) are aware of.

And you won't even notice it happening. There will be no slowdown on your phone, no weird messages, and no suspicious clicks at the end of the line. Nothing. It's practically invisible.

This brings us to our next dilemma...

Pegasus spyware detection and removal

Pegasus can remain active even after reboots or software updates, and operates in stealth mode, making Pegasus spyware detection and its removal extremely difficult.

But if you suspect your device might be the target of a Pegasus attack, Amnesty International has developed a tool to help you scan your device.

The Mobile Verification Toolkit (MVT) is compatible with iOS and Android devices but has to be configured for a specific device. This can only be done on a macOS or Linux. If you have the skills, the source code is available for free on GitHub.

The MVT works by saving a backup copy of the phone's data, scanning it for Pegasus, and then informing the user whether the device is compromised.

However, you have to be technical-savvy in order to make use of it.

It even comes with a warning...

“MVT is a forensic research tool intended for technologists and investigators. Using it requires understanding the basics of forensic analysis and using command-line tools.”

If that's not you, then don't try it at home.

Your best bet is to take your device to a cybersecurity expert and let them handle it. Or, get a new phone and change all your passwords.

Conclusion

As we have seen, Pegasus has already been widely misused. The cases of Jamal Khashoggi and Cecilio Pineda Birto stand as stark reminders of the tragic consequences that can result from Pegasus attacks.

The outcry from journalists, activists, and whistleblowers, as well as prominent figures like Edward Snowden, demonstrates the urgent need for action and safeguards against such intrusive surveillance tools.

Regrettably, there is currently no foolproof defense against Pegasus. However, keeping your device's operating system up to date can help mitigate the risk. Stay vigilant, stay informed, and let us stand united against surveillance and the erosion of privacy.

Want to know more about government mass surveillance? Check out The Five Eyes, Nine Eyes, and Fourteen Eyes Explained.