Pegasus malware

How Pegasus works and what it does

A Pegasus attack starts with a simple phishing scheme: the attacker identifies a target then sends that target a website URL via email, social media, text message or any other message.

In the case of iOS devices, once the user clicks on the link, the malware secretly carries out a trio of zero-day exploits against the victim’s device, jailbreaking it remotely so the spyware can be installed.

The only indication that something has occurred is that the browser closes after the user clicks the link. There’s no other indication that anything has happened or that any new processes are running.

Once Pegasus is installed, it begins contacting the operator’s command and control servers to receive and execute the operator’s commands.

The spyware contains malicious code, processes and apps that spy on what the user does on the device, collects data and reports back what the user does. The malware can access and exfiltrate calls, emails, messages, and logs from applications including, Facebook, Facetime, Gmail, WhatsApp, Tango, Viber and Skype.

Once the spyware jailbreaks the user’s device, it compromises the original apps already installed on the device to capture data rather than download malicious versions of these apps.

Pegasus for Android doesn’t require zero-day vulnerabilities to root the target device and install the malware. Rather, the malware uses a well-known rooting technique called Framaroot.

With Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the overall attack sequence failed. However, the hackers built functionality into the Android version that enables Pegasus to still ask for permissions so it can access and exfiltrate data if the initial attempt to root the device is unsuccessful.

History of Pegasus

Pegasus was first discovered by Ahmed Mansoor, a human rights activist in the United Arab Emirates (UAE). On August 10 and 11, 2016, Mansoor, now imprisoned in the UAE, received SMS text messages on his iPhone that promised if he clicked on the link in the messages, he would receive new information about individuals tortured in UAE jails.

However, Mansoor didn’t click on the link. Rather, he sent the messages to researchers at the Citizen Lab, an organization based at the University of Toronto. The organization produces evidence-based research on cybersecurity issues associated with human rights concerns. The group’s research includes investigating digital espionage.

The researchers recognized that the links belonged to an exploit infrastructure connected to the NSO Group, which sells Pegasus and other spyware to governments known for human rights violations to spy on critics and activists.

When information about the iOS version of Pegasus was first released, Apple issued an iOS security update that patched the three vulnerabilities. Google helped researchers investigate the case with the Android version and notified potential Pegasus targets directly. Google claimed that just a few dozen Android devices had been infected.

In 2018, an Amnesty International staff member received a suspicious WhatsApp message that included a link that, if clicked, would have installed Pegasus on the employee’s mobile device. WhatsApp ultimately patched the flaw that would have allowed an attacker to infect a victim’s device with the spyware.

Who uses Pegasus?

NSO Group has said it sells its surveillance software to governments to help them fight terrorism and serious crime. Its spyware, including Pegasus, has been licensed to dozens of countries, including Mexico, Bahrain, Saudi Arabia and the UAE.

Governments worldwide have used Pegasus to target activists, including the Amnesty International employee; Saudi activists; Mansoor; at least 24 human rights defenders, journalists and parliamentarians in Mexico; and allegedly murdered Saudi journalist Jamal Khashoggi, according to a lawsuit filed in 2019 by Amnesty International and other groups demanding that the Israeli Ministry of Defense revoke the export license of NSO Group.