Shazneen Mistry
Pegasus aka Q Suite, marketed by the NSO Group aka Q Cyber Technologies is “a world-leading cyber intelligence solution” that enables law enforcement and intelligence agencies to remotely and covertly extract data from “virtually any mobile devices”. It was developed by veterans of the Israeli intelligence agencies.
In October 2019, WhatsApp blamed the NSO Group for exploiting a vulnerability in its video-calling feature. “A user would receive what appeared to be a video call but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code to infect the victim’s phone with spyware. The person did not even have to answer the call,” WhatsApp chief Will Cathcart said.
In December 2020, a Citizen Lab report flagged how government operatives used Pegasus to hack 37 phones belonging to journalists, producers, anchors, and executives. Over 40 Indian journalists’ phone numbers were found on the hacking list of an unidentified agency that was using this Israeli spyware called Pegasus. The list’s potential targets included journalists from Hindustan Times, News18, the Wire, Indian Express, the Hindu, India Today, and many more.
The NSO group that sells Pegasus said that they only offer this spyware to “vetted government personals” and the company also refused to give out the consumer details to the public. Though they refused to give their customers names, it can be seen that this spyware has infected India and it also strongly indicates that whoever is operating the spyware is an Indian official.
The issue was bought forward by the publishers of the Wire, Washington Post, The Guardian, Le Monde, and 13 other international publications who has investigated this problem. It is important to note that only after forensic testing can one determine if the smartphone or any other device had been snooped or not by this military-grade spyware, otherwise, it didn’t matter if one’s number was there on the list or not.
Once infected, a phone becomes a digital spy under the attacker’s complete control. Pegasus contacts the attacker’s command and control (C&C) servers to receive and execute instructions and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls (even the end-to-end-encrypted messages). The attacker can control the phone’s camera, microphone, and GPS function to track a target.
To avoid extensive bandwidth consumption that may alert a target, Pegasus sends only scheduled updates to a C&C server. The spyware is designed to evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by the attacker, when and if necessary.
Theoretically, cyber hygiene can safeguard against ESEM baits but when Pegasus exploits a vulnerability in one’s phone’s operating system, one cannot stop a network injection. Worse, one will not even be aware of it unless the device is scanned at a digital security lab. Switching to an archaic handset that allows only basic calls and messages will certainly limit data exposure but may not significantly cut down infection risk. Therefore, the best one can do is stay up to date with every operating system update and security patch released by device manufacturers, hoping that zero-day attacks become rarer. Moreover, if one has the budget, changing handsets periodically is perhaps the most effective, if expensive, remedy.
The government is trying to solve the problem as soon as it can so that this spyware doesn’t cause fear among the people and nor can it exploit important information from one’s cell phones and other devices.
