Pegasus Issue Simplified (1/2)

Updated: Oct 25, 2021

Here's a comprehensive view on Pegasus, the spyware named after the mythical winged horse - the Trojan that  flies through the air.

What is Pegasus and how does it operate?

Pegasus is the flagship product of Israeli cyber-surveillance company NSO Group, perhaps the best known of the new spyware (cyber-surveillance) companies. NSO Group’s technology allows its clients (which the company says are always governments, never private individuals or companies) to target specific phone numbers and infect the associated devices with Pegasus code.

Pegasus can infect iPhones and Android phones, and it even has zero-click attacks in some circumstances. These attacks may succeed if an attacker is within range of the phone they want to hack, or even calling the phone or sending an email accessed on the phone can exploits vulnerabilities and allows malware to take control of the device.

Pegasus has grown over the previous five years from a rudimentary social engineering-based system, to a piece of software that can compromise a phone without the user having to click on a single link (zero-click exploits).

Note: The idea is not to implicate a company or its software. NSO claims its work is to catch criminals, while The Pegasus Project alleges that government espionage is often done using Pegasus spyware. Our idea is to 1) show how zero-click exploits and network injections work, and 2) talk about detection and defense against spyware.

Zero Click Exploits

Pegasus hacking attacks once required a target’s active participation. Pegasus operators sent text messages containing a malicious link to their target’s phone. If the target clicked, a malicious page would open on their web browser to download and execute the malware, infecting the device.

Social engineering techniques helped manipulate targets into clicking by embedding the link in messages designed to appeal to their fears or interests. Eventually, the public became more aware of these tactics and was better able to spot malicious spam. Something more subtle was required.

The solution was the use of so-called ‘zero-click exploits.’ These vulnerabilities do not rely on the target doing anything at all in order for Pegasus to compromise their device. Zero-click exploits rely on bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources.

Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message.

Network Injection

Apart from zero-click exploits, NSO Group’s clients can also use so-called “network injections” to quietly access a target’s device.

A target’s web browsing can leave them open to attack without the need for them to click on a specifically designed malicious link. For instance, during routine online activity the victim might be enticed to visit a website that isn't totally safe. Pegasus can access the phone and infect it if users click on a link to an unprotected site.

However, this technique is more difficult to accomplish than attacking a phone using a malicious URL or a zero-click exploit, since the target’s cell phone use must be monitored until the moment at which its internet traffic is unprotected so as to lead them to the clickable exploit.

That's just half the story, we're working on simplifying the pegasus issue for you and will be back with part 2 of this article. Stay tuned to Byte Sized for more interesting insights!

4 views0 comments