Pegasus Spyware

NSO, the Israeli technology company has been working with governments around the world by selling them robust surveillance systems. The tool, named Pegasus, unlocks the contents of a victim’s cellphone and allows hackers to view or do anything on the device. While the tool seems dangerous, the NSO says it licenses the tool exclusively to government agencies to combat terrorism and other serious crimes.

While the public generally believed NSO was harmless as they focus on ‘bad actors’, recent reports confirm that there has been a leak at NSO showing they aren’t just spying on criminals. Some publications revealed they’ve been sent the leaked data and will be publishing many of those names later this week. The list of those surveilled includes lawyers, human rights defenders, religious figures, academics, business people, diplomats, senior government officials, and heads of state.

What Does It Do?

Once the malware makes its way into your device, generally without your knowledge, it turns into a 24-hour surveillance device. This type of malware is called ‘Spyware‘. This Spyware can (on both iOS and Android) copy messages you send or receive, harvest photos, and record your calls. Pegasus can covertly record you through your camera, or activate the microphone to record your conversations. The tool can potentially even pinpoint where you are, where you’ve been, and who you’ve met.

How?

The malware gets into your device through smishing attacks, but recent reports show their capabilities have become more advanced. Pegasus exploits can now be accomplished through ‘zero-click’ attacks, which don’t require any user input to work. These often exploit ‘zero-day’ vulnerabilities, which are bugs in an operating system that the manufacturer is unaware of and has not yet fixed.

Back in 2019, WhatsApp reported that NSO software was used to send malware to 14,000+ devices, exploiting a zero-day vulnerability. NSO was able to have the malware infect a device by simply calling a user through WhatsApp, even if the victim did not pick up. Recently, NSO began exploiting vulnerabilities in Apple’s iMessage software, giving it backdoor access to hundreds of millions of iPhones. Apple says it is continually patching its systems to prevent privacy attacks like these. 

What To Do?

Unfortunately, there aren’t many remedies for mobile phone anti-malware protection like there exists for your Windows desktop computer. A handful of companies currently advertise Antivirus products for Android devices including Panda, McAfee, and Webroot. No such product exists for iOS (Apple) Devices yet. However, McAfee and Webroot both make a secure browser for iOS devices to try and prevent malware from infecting your iOS device via the Web. It’s unclear, but unlikely that these products would protect against the Pegasus malware sent via WhatsApp or other zero-day attacks.

Beyond installing the Anti-virus or secure browser on your Android and iOS devices respectively here are some basic tips for mobile device protection:

1. Never leave your phone unattended or unlocked when not in use.
2. Keep your phone’s operating system fully patched and up-to-date.
3. Don’t install every app you see. Be highly selective and do not enable microphone or location services, unless absolutely necessary in those select few apps you do install.
4. Change your phone’s default passcode. Enable face ID and set a 14 to 20 character unlock code you can activate with a quick phone reboot.
5. Manage Bluetooth security by disabling it when not in use, and not connecting to any unknown devices.
6. Protect your credit cards, PINs, and other sensitive information (passwords) in a security App like LastPass that encrypts this data with strong passwords and multi-factor authentication.
7. Avoid unsecured or public Wifi.
8. Have an iPhone? Enable Find my iPhone. Super Tip: An Apple watch has a beacon function to find your iPhone in a hurry. Swipe up and tap the iPhone icon.
9. Don’t let your “Notifications” give you away. Especially block 2FA codes from displaying on your locked phone’s notifications screen.
10. Review your location services now. Chances are, before you read this article you gave a lot of permissions to applications that might be tracking or listening to you.

What other steps should I take to protect my Business?

But there are steps you can take to ensure you’re doing everything you can to improve your security and reduce the chances of being exploited by Spyware.

• Patch and update all devices and it’s applications whenever released
• Adopt two-factor authentication on all critical Internet-accessible services
• Adopt a password manager for better personal/work password hygiene
• Require 14+ character Passwords in your Governance Policies
• Deploy an Anti-Malware/Anti-Virus Solution to actively scan for vulnerabilities
• Follow a 3-2-1 backup method for all critical and sensitive data
• Train employees to spot and avoid email or SMS-based phishing attacks
• Check that employees can spot and avoid phishing emails by testing them
• Document and test Business Continuity Disaster Recovery (BCDR) plans
• Check emails and phone numbers regularly at HaveIBeenPwned.com and change passwords accordingly
• Perform a risk assessment every two to three years

Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.

To learn more about Pegasus’ capabilities, watch this short video:

Sources:

Washington Post

The Guardian – Article 1

The Guardian – Article 2 

Additional Readings:

iPhones Successfully Hacked via Pegasus Malware

AWS Bans Accounts Linked to Pegasus