There is nothing particularly complicated about how the Pegasus spyware infects the phones of victims. The initial hack involves a crafted SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device.
Pegasus is gifted at reading text messages, tracking calls, collecting passwords, tracing the location of the phone, accessing the target device’s microphone(s) and video camera(s), and gathering information from apps (everything that you would expect from spyware).
Sunny Nehra, admin at Hacks and Security said, “Pegasus, iOS Trident Vulnerabilities and WhatsApp miss call vulnerability (CVE-2019-3568) are quite different from each other. Pegasus is fully-fledged spyware that is created to spy on complete operating systems (we are aware of its samples of iOS and Android; it may have versions for other OS too which may not have been detected so far). The important thing to understand is there are many spyware which you can find on the internet (you can purchase and use them but please use for parental control or other legal use only) but what makes Pegasus special is not the spyware itself (of course all spyware does similar type spying on phones) rather the vulnerabilities that it comes with which helps its installation.”
When we asked Manu Zacharia, a Cyber Security Analyst on ways to stay protected by these Spywares he said, “Technically you cannot protect someone from being spied or from these spyware software’s, as these companies use some undisclosed tactics to enter into someone’s phone. But the best way to stay safe from these spying software’s is, interact with only those whom you trust and do not accept documents or unknown files through messaging apps.”
That being said it should be obvious that NSO will keep its spyware updated with the latest vulnerabilities they keep getting and that’s what has been going on. NSO claims that they provide the spyware to authorized agencies of governments in a legal way to combat terror and crime but several times it has been found that their spyware has been used to spy on human activists, journalists etc. The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices).
You can always install apps in Android even those not available in the Play Store, just need to allow unknown source and disable Google Play Protect scan (Kind of Antivirus) in case it is not well known but still asks for critical permissions. Usually, with root, you can give it more power by say turning it into a system lever app to control other apps and much more. Similarly, a jailbreak can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “tethered jailbreak”).
Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code. In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware.
The spyware infects Android devices too but isn’t as effective as it relies on a rooting technique that isn’t 100 per cent reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively. Apple devices are generally considered more secure than their Android equivalents, but neither type of device is 100 per cent secure.
Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed system often referred to as “security by obscurity”. Apple also exercises complete control over when updates are rolled out, which are then quickly adopted by users.
On the other hand, Android devices are based on open-source concepts, so hardware manufacturers can adapt the operating system to add additional features or optimise performance. We typically see a large number of Android devices running a variety of versions — inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).
Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment mean there is a greater chance of success at a significant scale.
What should you do to be better protected?
- Although most people are unlikely to be targeted by this type of attack, there are still simple steps you can take to minimise your potential exposure — not only to Pegasus but to other malicious attacks too.
- Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. And this is the same technique used by many cybercriminals for both malware distribution and less technical scams. The same advice applies to links sent via email or other messaging applications.
- Make sure your device is updated with any relevant patches and upgrades. While having a standardized version of an operating system creates a stable base for attackers to target, it’s still your best defence.
If you use Android, don’t rely on notifications for new versions of the operating system. Check for the latest version yourself, as your device’s manufacturer may not be providing updates.
- Although it may sound obvious, you should limit physical access to your phone. Do this by enabling pin, finger or face-locking on the device. The eSafety Commissioner’s website has a range of videos explaining how to configure your device securely.
- Avoid public and free WiFi services (including hotels), especially when accessing sensitive information. The use of a VPN is a good solution when you need to use such networks.
- Encrypt your device data and enable remote-wipe features where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.