Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
We'll tell you about the notorious spyware for iOS and Android that was used by the government to spy on more than 50,000 people.
Hello everyone, dear friends!
Today we will tell you about the notorious spyware for iOS and Android, which was used by governments of many countries to spy on more than 50,000 people.
Pegasus is a spyware that can be installed undetected on mobile phones and other devices running the Apple iOS and Android mobile operating systems.
The software was developed by Israeli company NSO Group. The developer says it provides “authorized governments with technology that helps them fight terrorism and crime,” and has published sections of contracts requiring customers to use Pegasus only for criminal and national security purposes. The developer also claims to be sensitive to human rights.
Pegasus has evolved from a relatively simple system that relied primarily on social engineering attacks to a program that doesn't even require the user to click on a link to hack their phone.
A screenshot of NSO Group's Pegasus workstation software, which visualizes location data collected from infected devices.
In this screenshot you can see the victim's call monitoring section. Each of them is recorded and can be listened to.
Here you can see the calendar monitoring interface, which allows you to find out about the victim's possible meetings, their schedule and other interesting things.
At the same time, a list of more than 50,000 telephone numbers of people who were supposedly of interest to NSO Group clients was leaked to the press.
Among the countries that are NSO clients, whose law enforcement agencies and intelligence agencies entered numbers into the system, are:
In particular, the Pegasus program was used to wiretap the phones of two women close to Saudi journalist Jamal Khashoggi, who was killed in October 2018. The phone numbers of Princess Latifa, the daughter of Dubai ruler Mohammed Al Maktoum and his ex-wife Princess Haya Al Hussein, were also found on the list.
According to the Parisian newspaper Le Monde, in 2017, Moroccan intelligence identified a number used by French President Emmanuel Macron, which creates the risk of infection with Pegasus.
The company said in a statement that the allegations made by French NGO Forbidden Stories and human rights group Amnesty International were based on incorrect assumptions and unsubstantiated theories.
For example, they would send spam messages to anger someone, and then send another message with a link that they had to click to stop receiving spam.
In these photos you can see messages that were sent by Pegasus to one of the people who were being monitored. Since this person was an activist, the text of the message was chosen accordingly (translated into Russian: "new secrets about the torture of Emiratis in state prisons")
However, users could understand that the links were malicious and stopped responding to spam and other provocations. Therefore, after a while, another tactic appeared...
Once a vulnerability is discovered, Pegasus infiltrates the device using the app's protocol. The user does not need to click a link, read a message, or answer a call.
This is how Pegasus penetrated most messaging systems, such as:
In addition to no-click exploits, NSO Group customers can also use so-called “network injections” to gain access to a phone without being noticed. Browsing the web can make the device vulnerable to attack without clicking on a malicious link.
With this approach, the user must navigate to an unsecured website during their normal online activity. Once they navigate to the unsecured site, NSO Group software can access the phone and infect it.
However, this method is more difficult to use than attacking a phone with a malicious link or a no-click exploit, as it requires monitoring the mobile phone's usage until the Internet traffic is unprotected.
There will also be similarities in the malicious processes executed by the infected device. There are only a few dozen of them, and one of them, called Bridgehead, or BH, appears repeatedly throughout the malware.
A clear sequence is observed on infected devices:
But, there is no need to worry. Most likely, you are the one who is out of danger.
Hello everyone, dear friends!
Today we will tell you about the notorious spyware for iOS and Android, which was used by governments of many countries to spy on more than 50,000 people.
Introduction
At one time, traces of the Pegasus spyware were found in the phones of many journalists and activists around the world. The list of potential targets for surveillance includes more than 50 thousand people.Pegasus is a spyware that can be installed undetected on mobile phones and other devices running the Apple iOS and Android mobile operating systems.
The software was developed by Israeli company NSO Group. The developer says it provides “authorized governments with technology that helps them fight terrorism and crime,” and has published sections of contracts requiring customers to use Pegasus only for criminal and national security purposes. The developer also claims to be sensitive to human rights.
1. Pegasus software capabilities
- Pegasus infects iPhones and Android devices via SMS, WhatsApp, iMessage and other channels.
- Allows you to extract messages, photos and email correspondence, contacts and GPS data, as well as record calls and discreetly turn on the microphone and camera.
- Pegasus allows you to control the device itself and access everything stored on it.
- Pegasus monitors keystrokes on the infected device - all written communications and search queries, even passwords - and transmits them to the client, as well as giving access to the phone's microphone and camera.
Pegasus has evolved from a relatively simple system that relied primarily on social engineering attacks to a program that doesn't even require the user to click on a link to hack their phone.
We also have early screenshots of the Pegasus interface, we invite you to take a look at them:
A screenshot of NSO Group's Pegasus workstation software, which visualizes location data collected from infected devices.
In this screenshot you can see the victim's call monitoring section. Each of them is recorded and can be listened to.
Here you can see the calendar monitoring interface, which allows you to find out about the victim's possible meetings, their schedule and other interesting things.
2. The Pegasus mass surveillance scandal
In July 2021, press reports emerged that authoritarian regimes were using Pegasus to hack the phones of human rights activists, opposition journalists, and lawyers.At the same time, a list of more than 50,000 telephone numbers of people who were supposedly of interest to NSO Group clients was leaked to the press.
Among the countries that are NSO clients, whose law enforcement agencies and intelligence agencies entered numbers into the system, are:
- Azerbaijan,
- Bahrain,
- Hungary,
- India,
- Kazakhstan,
- Morocco,
- Mexico,
- United Arab Emirates,
- Rwanda,
- Saudi Arabia.
In particular, the Pegasus program was used to wiretap the phones of two women close to Saudi journalist Jamal Khashoggi, who was killed in October 2018. The phone numbers of Princess Latifa, the daughter of Dubai ruler Mohammed Al Maktoum and his ex-wife Princess Haya Al Hussein, were also found on the list.
2.1 Policies
Pegasus' victims reportedly include around 600 government officials from 34 countries, including:- Iraqi President Barham Saleh,
- South African President Cyril Ramaphosa,
- Prime Ministers of Pakistan,
- Egypt,
- Morocco.
According to the Parisian newspaper Le Monde, in 2017, Moroccan intelligence identified a number used by French President Emmanuel Macron, which creates the risk of infection with Pegasus.
2.2 NSO Position
Naturally, NSO denies the allegations. The company said Pegasus was designed to combat terrorists and crime, and was only supplied to the military, police, and intelligence agencies of countries that respect human rights.The company said in a statement that the allegations made by French NGO Forbidden Stories and human rights group Amnesty International were based on incorrect assumptions and unsubstantiated theories.
3. How Pegasus software works
3.1 Malicious links
Previously, the malware required the victim to click on a malicious link in order to take effect: the program's operators would send a text message with a link to the target's phone. NSO Group used various tactics to increase the likelihood of clicking on the link.For example, they would send spam messages to anger someone, and then send another message with a link that they had to click to stop receiving spam.
In these photos you can see messages that were sent by Pegasus to one of the people who were being monitored. Since this person was an activist, the text of the message was chosen accordingly (translated into Russian: "new secrets about the torture of Emiratis in state prisons")
However, users could understand that the links were malicious and stopped responding to spam and other provocations. Therefore, after a while, another tactic appeared...
3.2 No-Click Exploits
The new tactic involved using so-called “no-click exploits” which rely on vulnerabilities in popular apps like iMessage, WhatsApp, and Facetime, all of which receive and process data — sometimes from unknown sources.Once a vulnerability is discovered, Pegasus infiltrates the device using the app's protocol. The user does not need to click a link, read a message, or answer a call.
This is how Pegasus penetrated most messaging systems, such as:
- Gmail,
- Facebook,
- WhatsApp,
- Facetime,
- Viber,
- WeChat,
- Telegram,
- Built-in instant messengers and Apple mail.
- Network injections
In addition to no-click exploits, NSO Group customers can also use so-called “network injections” to gain access to a phone without being noticed. Browsing the web can make the device vulnerable to attack without clicking on a malicious link.
With this approach, the user must navigate to an unsecured website during their normal online activity. Once they navigate to the unsecured site, NSO Group software can access the phone and infect it.
However, this method is more difficult to use than attacking a phone with a malicious link or a no-click exploit, as it requires monitoring the mobile phone's usage until the Internet traffic is unprotected.
4. How to understand if the device is infected
To detect Pegasus on a device, you need to look for the most obvious sign: malicious links in text messages. These links lead to one of several domains used by NSO Group to download spyware to the phone - this is the company's infrastructure.There will also be similarities in the malicious processes executed by the infected device. There are only a few dozen of them, and one of them, called Bridgehead, or BH, appears repeatedly throughout the malware.
A clear sequence is observed on infected devices:
- "The website was visited,
- The app was crashing,
- Some files have been changed.
But, there is no need to worry. Most likely, you are the one who is out of danger.
