Recently, you might have come across the news of Israeli spyware Pegasus hacking into people’s mobile phones and being able to read their messages and tap calls.
There have been reports that accused several governments including India spying on key public figures using this spyware. In India, at least 300 people are believed to have been targeted, including two serving ministers, three opposition leaders, one constitutional authority, several journalists and business persons.
However, the Indian government has said that these reports are “fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions.”
Here is all you need to know about the Pegasus spyware.
What is Pegasus spyware?
Pegasus is spyware developed by NSO Group, an Israeli company that specializes in cyber weapons. It first came into the limelight in the year 2016 when an Arab activist got suspicious of a shady message. There were reports that Pegasus was targeting iPhone users. Later Apple released an updated version of iOS that patched the security loopholes the spyware was using to hack phones.
A year later, it was found that Pegasus was equally capable of hacking Android
phones as well. As a result, mobile phone companies updated their security
system. In 2019, Facebook filed a case against NSO Group for creating Pegasus.
At the same time, WhatsApp also informed its Indian users about the spyware via
a message.
How does Pegasus spyware work?
Pegasus spyware can be covertly installed on mobile phones via a malicious website link. When the user clicks on it, the spyware is installed on the phone. It can also be installed via a security bug in voice calls through apps like WhatsApp. The spyware is so seamless that could be installed on the phone by simply giving a missed call to the user. In fact, the software deletes the call log entry so that the user wouldn’t know that their phone has been hacked.
Once the spyware is installed on the targeted phone, it downloads the necessary modules that help it to access the data. The spyware has keylogging and audio recording capabilities which enables it to listen to calls and read encrypted messages.
Another interesting fact about the Pegasus spyware is that it can hide in the phone completely. If it is not able to communicate with its command-and-control (C&C) server for more than 60 days or is installed on the wrong device, the spyware self-destructs itself.
What threat does it cause?
The Pegasus spyware can hack the target user’s phone and access all their personal information. It can even access encrypted chats made through WhatsApp. The spyware can also read messages, track calls, keep a check on user activity within apps, gather their location data, and access video cameras on the phone. Not just this, the hacker can also listen through their microphones using the Pegasus spyware.
What precautions can one take?
Theoretically, astute cyber hygiene can safeguard against ESEM baits. But when Pegasus exploits a vulnerability in one’s phone’s operating system, there is nothing one can do to stop a network injection. Worse, one will not even be aware of it unless the device is scanned at a digital security lab.
Switching to an archaic handset that allows only basic calls and messages will certainly limit data exposure, but may not significantly cut down infection risk. Also, any alternative devices used for emails and apps will remain vulnerable unless one forgoes using those essential services altogether.
Therefore, the best one can do is to stay up to date with every operating system update and security patch released by device manufacturers, and hope that zero-day attacks become rarer. And if one has the budget, changing handsets periodically is perhaps the most effective, if expensive, remedy.
Since the spyware resides in the hardware, the attacker will have to successfully infect the new device every time one changes. That may pose both logistical (cost) and technical (security upgrade) challenges. Unless one is up against unlimited resources, usually associated with state power.