This month, spyware called Pegasus has been making headlines. Pegasus can infect up-to-date Android and iOS smartphones, and once inside, it runs in the background and can spy on everything. It can harvest SMS, email, and WhatsApp messages. It can record calls, activate the camera, activate the microphone, and get the GPS location. It can collect photos, videos, contact lists, browsing histories, and even passwords. It was developed by NSO Group, an Israeli-based technology firm, and is officially sold to governments for the purpose of spying on criminals and terrorists. However, the Pegasus Project—a collaboration between 80 journalists from 10 different countries, with support from Forbidden Stories and Amnesty International—claims that Pegasus is being used some of NSO Group’s clients to spy on journalists, activists, and government officials. The investigation of a data leak of 50,000 phone numbers revealed that at least 180 journalists were potentially targeted by the spyware. Amnesty International published their forensic methodology to find the spyware on smartphones, and noted that a Pegasus attack against an iPhone 12 running iOS 14.6 took place as recently as July 2021. Today, Reuters reported that the phone of France’s finance minister, Bruno Le Maire, is being investigated to determine if there are signs of Pegasus spyware. NSO Group disputes the claims of the Pegasus Project, and The Guardian published a summary of their response.
Aside from its ability to gain complete access to an Android or iOS smartphone, what makes Pegasus significant is its use of zero-click attacks to infect them. A zero-click attack is one in which the target does not need to interact with the message that contains the payload for the attack to work; instead, simply receiving the message affects the target. This is in contrast to a regular phishing attack, in which the target would need to click on a link or an attachment to get infected with malware. The scary thing about a zero-click attack is that a victim’s device can be affected without any kind of clear indicator, such as a phishing email.
Although Pegasus and zero-click attacks have gained recent media attention, they are not new. In December 2020, Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis, and Ron Deibert of the Citizen Lab, based in the University of Toronto, published The Great iPwn, a report about governments’ use of Pegasus spyware to hack 36 personal phones of employees at Al Jazeera and one phone of an Al Araby TV journalist. Furthermore, Pegasus has used by nation-states since 2016. Zero-click attacks often use zero-day vulnerabilities, but they are not to be confused with zero-day attacks. A zero-day attack exploits a vulnerability that was previously unknown to the makers of the affected hardware or software, the public, as well as to antivirus programs and rule-based intrusion detection systems. A zero-day attack does not require the involvement of a zero-click attack, and vice-versa. That said, according to the forensic methodology report by Amnesty International, Pegasus uses multiple zero-day exploits for its zero-click attacks. When the zero-day vulnerabilities are no longer zero-day vulnerabilities and have been patched by the software developers, new zero-day vulnerabilities are used for Pegasus. The Guardian notes that a WhatsApp zero-day vulnerability was being exploited by Pegasus in 2019. As of this year, zero-day vulnerabilities within Apple’s iMessage are being exploited. Pegasus is only deployed against specific people rather than the general public, but if you have an iPhone, you do not use iMessage, and you are concerned about your privacy, you may want to consider turning off iMessage until Apple patches the zero-day vulnerabilities within iMessage.