Context: Israeli company NSO Group’s Pegasus spyware targeted over 300 mobile phone numbers in India 

More in the news:

  • The target list includes two serving Ministers in the government, three Opposition leaders, one constitutional authority, several journalists and business persons.
  • In the past, similar claims were made regarding the use of Pegasus on WhatsApp by Indian state. 
    • Those reports also had no factual basis and were categorically denied by all parties, including WhatsApp in the Indian Supreme Court.
  • WhatsApp was one of the attack vectors used to infiltrate the mobile phones of selected targets using Pegasus. 
    • Other known vectors include SMS and iPhone’s iMessage service in addition to unknown vulnerabilities that a Pegasus user might exploit to install the spyware.
  • WhatsApp sued the NSO Group in a federal court in San Francisco, accusing it of using WhatsApp servers in the United States and elsewhere to send malware to approximately 1,400 mobile phones and devices (Target Devices). 
    • For the purpose of conducting surveillance of specific WhatsApp users (Target Users).
  • The NSO Group is a Tel Aviv-based cyber-security company. 
    • It specialises in “surveillance technology” and claims to help governments and law enforcement agencies across the world fight crime and terrorism.

Once installed, what can Pegasus do?

  • It can send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.
  • The target’s phone camera and microphone can be turned on to capture all activity in the phone’s vicinity, expanding the scope of the surveillance. 
  • According to claims in a Pegasus brochure that WhatsApp has submitted to court as a technical exhibit, the malware can also access email, SMS, location tracking, network details, device settings, and browsing history data. 
    • All of this takes place without the target user’s knowledge.
  • Other key features of Pegasus, according to the brochure are: 
    • Ability to access password-protected devices, 
    • Being totally transparent to the target, 
    • Leaving no trace on the device, 
    • Consuming minimal battery, memory and data so as to not arouse suspicion in more alert users, 
    • A self-destruct mechanism in case of risk of exposure, and
    • Ability to retrieve any file for deeper analysis.
  • Pegasus can work on BlackBerry, Android, iOS (iPhone) and Symbian-based devices. 
    • The mention of the now discontinued mobile OS Symbian (Nokia Phones) and the no longer popular BlackBerry suggests the document is old and Pegasus has certainly been upgraded over the years.

Can Pegasus be used to target just about anyone?

  • Technically, yes. But while tools such as Pegasus can be used for mass surveillance; it would seem likely that only selected individuals would be targeted. 
  • In the present case, WhatsApp has claimed that it sent a special message to approximately 1,400 users who it believed were impacted by the attack, to directly inform them about what had happened.
  • The NSO Group, while disputing WhatsApp’s allegations in the strongest possible terms, has said that: 
    • It provides the tool exclusively to licensed government intelligence and law enforcement agencies, and not just to anyone who wants it.

Related Facts

About Pegaus:

  • It is a spyware, they spy on people through their phones.
  • It works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone.
    • A presumably newer version of the malware does not even require a target user to click a link.
  • Once Pegasus is installed, the attacker has complete access to the target user’s phone.
  • The first reports on Pegasus’s spyware operations emerged in 2016, when Ahmed Mansoor, a human rights activist in the UAE, was targeted with an SMS link on his iPhone 6.
  • The Pegasus tool at that time exploited a software chink in Apple’s iOS to take over the device. 
    • Apple responded by pushing out an update to “patch” or fix the issue.
  • Pegasus delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. 
    • A zero-day exploit is a completely unknown vulnerability, about which even the software manufacturer is not aware, and there is, thus, no patch or fix available for it. 
    • In the specific cases of Apple and WhatsApp, therefore, neither company was aware of the security vulnerability, which was used to exploit the software and take over the device.

More about the Cybersecurity in India.