Rediff.com« Back to articlePrint this article

Decoded: All you wanted to know about Pegasus

July 28, 2021 07:53 IST

Given the costs, you would need to be a high-value target for a government agency to spend this sort of money, points out Devangshu Datta.

IMAGE: The NSO Group Technologies kiosk at the European Police Congress in Berlin, February 4, 2020. NSO, an Israeli technology firm, is known for its Pegasus spyware enabling the remote surveillance of smartphones. Photograph: Hannibal Hanschke/Reuters
 

A multinational investigation coordinated by 16 well-known news organisations, Amnesty International and several cybersecurity organisations has sparked off a scandal about widespread, illegal, surveillance being carried out by nation States on their citizens. The investigation centred on a list of 'targets' of the Pegasus spyware.

At least 40 Indian journalists, along with members of Parliament, judges and others were supposedly targeted by Pegasus. Phones of seven of these persons, who agreed to allow forensic examination of their devices, were found to be infected.

What is Pegasus?

Pegasus is the name of a spyware developed by Israeli firm NSO. It can be introduced surreptitiously into mobile devices and can suck up all data and meta-data on the infected device as well as monitor conversations, chats and browsing.

It attained notoriety when it was alleged the Saudi authorities were monitoring murdered journalist Jamal Khashoggi;s phone by means of Pegasus.

Who can buy Pegasus?

NSO claims it will only sell the software to verified government agencies, with a contractual clause that the spyware can only be used in cases of suspected crime or terrorist activity.

In practice, the clause is unenforceable -- any buyer can then use it as they please.

However, it is possible for NSO to verify potential buyers and check whether they are official agencies, though it refuses to release its client list.

NSO claims it has 60 clients in 40 countries. NSO also says the spyware is mainly used by law enforcement and intelligence agencies as well as the military.

How much does Pegasus cost?

It is a technology that targets specific devices. A licence cost a minimum of about $650,000 in 2016, when the company released a catalogue (it doesn't publish a catalogue anymore).

Each licence allows for multiple installations (or infections, if you prefer).

In addition, the purchaser must spend a considerable amount to set up the infrastructure to capture, monitor and process the data.

NSO helps to set up the infrastructure and train the people who will infect the target's phones, and then monitor and process the data.

This installation and service charge has an asking price that could start at around $350,000.

But NSO says it does not do the monitoring itself, and thus 'has no visibility' on what is actually being picked up.

What's special about Pegasus?

It is a very sophisticated spyware, which can remotely infect a very wide range of devices, and apparently does so without any action on the target's part.

Most mobile spyware is installed by getting hold of the physical device or via phishing.

In the latter, a text message/WhatsApp/e-mail with a malicious link is sent, and the target gets infected when he or she clicks on that link. Pegasus can be transmitted this way.

More importantly, NSO discovered a vulnerability that allowed it to infect mobiles by sending malicious WhatsApp messages, which did the job without any actions being necessary on the target's part.

NSO has, in fact, been sued by WhatsApp for exploiting this vulnerability.

Pegasus can also be spiked into the target's phone from a nearby base transceiver station (BTS). BTS is standard equipment used by telecom service companies to route and re-route signals.

What can Pegasus do?

Once installed, the spyware takes a wide range of permissions, allowing it to monitor location, e-mails, grab contact lists, take screenshots, grab media, grab instant messages and SMS, access browser history, take control of the phone’s mike and cameras, etcetera.

Pegasus can also be deleted remotely. It is very hard to detect and once it is deleted, leaves few traces.

It can also be used to plant messages/mails, etcetera, which is why there are theories it may have been used to plant fake evidence to implicate activists in the Bhima Koregaon case.

How can you figure out if Pegasus is infecting your mobile?

Given the costs, you would need to be a high-value target for a government agency to spend this sort of money.

According to the technical experts who worked on this case, it is close to impossible to figure out if a phone has been infected with Pegasus. It doesn't cause slowdown or hanging.

It is slightly easier to detect Pegasus on an iPhone because iPhones keep more detailed logs of activity, and cybersecurity experts can see if data has been exchanged with suspicious Web sites.

Other than this, watch out for the usual signs of higher than normal data usage, and unusually high battery consumption (this is also lower with Pegasus than with other spyware).

Devangshu Datta in New Delhi
Source: source image