The Pegasus spy scandal was the largest since Edward Snowden's revelations.
Very mass surveillance
An investigation into the mass surveillance of journalists and human rights defenders was published last week. Its organizers used the instruments of the Israeli company NSO Group, a renowned developer of cyber intelligence systems. The main surveillance tool was the Pegasus software. NSO has been supplying its products to the market since 2016. How many years NSO customers have been using Pegasus is still unknown.
The authors of the investigation concluded that the subscribers of more than 50,000 phone numbers were possible victims of surveillance using this spy tool. Another list was obtained: it is much smaller, containing a thousand numbers, in respect of which the hacking tools were probably used. The experts analyzed this list and found the phone numbers of many famous people in it.
President of France Emmanuel Macron, founder of the social network VKontakte and the Telegram service Pavel Durov, several dozen senior managers, several ministers and even prime ministers, politicians, officials, human rights activists, and members of Arab royal families are among them. This means that NSO customers who bought tracking tools were interested in surveilling these people.
Attack vector: phishing links and zero-day vulnerabilities
On the website of the Organized Crime and Corruption Reporting Project (OCCRP), journalists published an article in which they explained in detail how the gadgets of the Pegasus victims were infected and how the spyware worked.
At first, infected phishing links were used. The victim received links, followed them, and after that a dangerous application was downloaded to their device. In order for potential victims to be more likely to react to such emails, they first received spam messages, and then another message with a link that would allow them to unsubscribe from spam. Other social engineering techniques were sometimes used to convince even digital security savvy users to follow a dangerous link.
Subsequently, the attack organizers began to use more sophisticated methods. NSO specialists used the so-called zero-day vulnerabilities (0-day vulnerabilities). Their feature lies in the fact that software companies (for example, Android and iOS operating systems or WhatsApp messengers) do not know about them. Accordingly, there was no protection against such threats yet. Thus, attackers could break into the device and infect it with dangerous software.
In this case, the so-called Zero-Click Exploits were the most commonly used. They are especially dangerous because users don't have to click on a questionable link to infect a device. After all, the victims are sure that they do not follow unknown links, behave very carefully, and in the meantime, the attackers control the device and the users do not even know about it.
The OCCRP article mentions other methods of infection, for example, network injections by redirecting victims to infected web pages.
After being infected, the dangerous software intercepted the contents of the smartphone and gained access to its microphone, camera, files on the gadget, and accounts viewed by the device owner. Spy software saw the geolocation of the smartphone and could quietly turn on the camera and microphone.
That is, the Pegasus victims got a real spy in their pockets.
Why is this story so dangerous?
Snowden called the story the spy scandal of the year and called for a ban on the sale of such dangerous apps.
"It’s like an industry where the only thing they did was create custom variants of Covid to dodge vaccines," he said. "Their only products are infection vectors. They’re not security products. They’re not providing any kind of protection, any kind of prophylactic. They don’t make vaccines – the only thing they sell is the virus," The Guardian quoted Snowden.
In addition to the surveillance scale and the massive use of these tools, zero-day vulnerabilities and exploits without a click have become a problem. Typically, big companies pay a lot of money to obtain information about such vulnerabilities and promptly eliminate them. This is the legal income of security specialists who find such vulnerabilities. NSO's access to zero-day vulnerabilities and exploiting them to infect a gadget is a very bad precedent that suggests that there is a market for 0-day vulnerabilities, and almost anyone can buy a "hole" in popular software.
And exploits without a click nullify all digital security rules because one doesn't need to click on links or visit a web page to become a victim of Pegasus. Therefore, the concept of a secure gadget is gradually leveled out amid these stories.
How to check if you are a victim of wiretapping
Pavlo Belousov, digital security expert of Internews-Ukraine NGO (the project Digital Security School 380), explained how to check if you were a victim of wiretapping through Pegasus.
To check if there are traces of Pegasus on your smartphone, you need to install certain software on your computer, make a full backup of your smartphone and use this installed software to scan the archive with the contents of the phone.
Expert on digital security at Internews Ukraine NGO, project Digital Security School 380
A tool called the Mobile Verification Toolkit works on iPhone and Android, but in slightly different ways, explain the authors of the Pegasus verification and protection guide published in the outletTechcrunch. You may need the help of a technician to use this tool.
MVT will help you to do a full iPhone backup and, after verification, will report any indicators of compromise (IOC) used to deliver NSO tools to the device. These may include, for example, domain names used in the NSO infrastructure. Techcrunch reporters demonstrated that the archive scan process had taken several minutes.
Detecting an infection on Android devices is somewhat more difficult, but quite possible. MVT takes a similar approach, scanning your Android backup for text messages referring to domains used by NSO. The same tool can check potentially dangerous applications installed on your smartphone.
Since some methods of delivering malware (messages, mail, websites, etc.) are known, the traces (indicators) found will indicate that Pegasus is present on the phone or there was an attempt to install it. If no traces were found, this does not mean that there was no hacking attempt, since the user (potential victim) could have deleted the message with malicious links earlier, and this indicator is no longer in the created backup copy.
Expert on digital security at Internews Ukraine NGO, project Digital Security School 380
How to check for spyware
The NSO story brought to mind other dangerous surveillance apps that may appear on your smartphone. Not only spyware, but also stalkerware can be among them. The victims of the last one can be ordinary people, and their partners, business competitors, or other attackers may be interested in spying on them.
Here are some signs of stalking software on your gadget:
- sudden unexpected turning on of WiFi, mobile Internet or geolocation, although the owner of the device manually disabled these options. Changing the settings without the owner's interference is one of the main signs of the unwanted applications presence on the smartphone;
- unexpectedly large traffic volumes transmitted by your smartphone;
- the device started to work noticeably slower and began to discharge faster;
- unexpected notifications and messages began to appear on the gadget, including errors in programs.
To remove suspicious applications, you need to:
- restart the device in safe mode;
- check all installed applications and remove unexplained and suspicious;
- change passwords to access online accounts where possible and use two-factor authentication.
How to protect yourself from such hacks
Pavlo Belousov advises the following:
"This attack exploits vulnerabilities in the smartphone operating system and is quite expensive, so it is not used as massively as others. But in order to reduce the risk (of this and another attack), you should always update the applications and the operating system of your devices, do not click on suspicious and unverified links, pictures, videos. In addition, you must use unique strong passwords and two-factor authentication and install trusted programs from official sources."
To check an Android gadget, it's worth finding out what apps have access to the smartphone's accessibility features. This permission is one of the highest for the Android platform, and, by and large, it should only be enabled for antivirus.
To protect yourself from spyware, you need to do the following:
- protect your device from unauthorized physical access. That is, set a screen password and two-factor authentication;
- use a reliable antivirus;
- regularly check your passwords for leaks and change them if necessary.