Unlocking Pegasus Software: A toolkit for Android and iOS to alert about possible infection

Sunday, August 8, 2021

Last weekend, a group of international news outlets broke the news that multiple governments have been using spyware developed by NSO group. The aim of these governments, some of them including Mexico, Morocco, and the United Arab Emirates, was to hack the phones of people who opposed them, this included journalists, activists, business executives, and politicians.

50,000 phone numbers came to the attention of Amnesty International and Forbidden Stories, these numbers were part of a list of potential surveillance targets. Once this list was shared with a global consortium of news outlets, researchers began examining the phones of multiple people who were the target of Pegasus spyware.

What is Pegasus Spyware?

Pegasus Spyware could possibly be the most sophisticated piece of Spyware that has been developed. If it manages to infiltrate your phone and you do not realise, it becomes a surveillance device that is active 24 hours a day. Pegasus is capable of copying the messages you receive and send, it can access your photos, and also record your calls. Alongside this, it potentially can film you via the phone’s camera, as well as record your conversations with people by turning on the phone’s microphone. Lastly, there is a chance it can also locate your exact position, who you have had contact with, and where you have been.

Where did Pegasus come from?

Pegasus was first discovered in 2016, it has gone through multiple variations since then, but this early variant accessed phones via malicious links that were clicked on. The hacking software is created, pitched, and licensed to governments all over the world and was developed by the Israeli company NSO Group.

From the discovery of the first Pegasus Software in 2016 it has gone through multiple refinements. As part of this process, Pegasus has become much more advanced and is capable of infecting a person’s phone via a ‘zero-click’ attack. A zero click attack doesn’t need a person to interact with the software for it to infiltrate their phone. Instead, Pegasus exploits ‘zero-day’ vulnerabilities, these are security flaws in a phone’s operating system that the manufacturer isn’t aware of and has provided no security against.

Two years ago in 2019, Whatsapp announced that over 1,400 phones had been compromised via a zero-day vulnerability by NSO’s software. The particularly worrying aspect of this attack was that the malicious Pegasus code could be downloaded onto a phone by making a Whatsapp call to a target device and the call didn’t have to be answered. A more contemporary discovery was that NSO was utilising gaps in Apple’s iMessage software to access hundreds of millions of iPhones. In a response to this, Apple pointed out that continual updates are used to counter attacks such as this.

Understanding of Pegasus has begun to increase and with that the defences against it have also improved slightly. By gaining a stronger understanding of the technical capabilities of the software, it becomes easier to notice the evidence the software leaves behind on a phone. Claudio Guarnieri, who heads up Amnesty International’s Berlin-based security lab, has pushed forward the knowledge of Pegasus, commented on the software by saying, ‘Things are becoming a lot more complicated for the targets to notice.’

One of the methods at our disposal to analyse our phones for Pegasus is called the Mobile Verification Toolkit, or MVT for short. It is compatible with both iPhones and Androids. MVT works within the command line, this means it’s not a shiny piece of software that anyone can use, it requires a user to have a basic understanding of using the terminal. However in comparison to other command line tools, MVT is relatively simple to use. MVT is open source, which means that the chances are high that a more accessible user interface will be built in the future.

Once the process has been created, the toolkit will analyse your backup file for any clues that your phone is infected. If it looks like there is a compromise to your phone, the outputted files will make this known to you. Unfortunately for Android users, it is harder to detect an infection in this operating system.

The level of sophistication that the Pegasus software has reached will certainly be worrying for a lot of people around the world. Particularly so because governments are using it to spy on their vocal opposition. One can hope that as our understanding of the spyware increases, the defences against it will also improve.