1
Pegasus—A Menace to Privacy and Security

Raunaq Khurana* and Shilpa Mahajan

Department of Computer Science, The NorthCap University, Gurugram, Haryana, India

Abstract

The Israeli-based cyber group NSO developed Pegasus, a spyware that can access and collect data from a target system without the user’s consent. Pegasus commonly exploits zero-day vulnerabilities, which are system weaknesses that the manufacturer has not addressed or is unaware of. This chapter thoroughly examines the Pegasus spyware, highlighting its unique features that pose significant challenges in its detection as compared to other malicious software. It presents an extensive analysis of Pegasus on both iOS and Android operating systems, with the intention of educating readers about its capabilities and advocating for the use of advanced technologies such as AI, ML/DL to develop effective countermeasures against spyware, malware, and adware. The chapter also includes various case studies that illustrate the transformation of Pegasus over time and the measures taken to prevent its infiltration into user devices. To facilitate reader’s understanding, the chapter provides essential security checklists that help identify Pegasus’s monitoring mechanisms.

Keywords: Malware/spyware, encryption, vulnerability, vishing

1.1 Introduction

Spyware is harmful software made with the intention of stealing data from a system and sharing it with unidentified outside third parties. Pegasus is a sophisticated programme that can break into mobile devices like smartphones and tablets and eventually go over security precautions like internal encryption and two-factor authentication to allow hackers complete access to the targeted device once it is plugged in. If that is the case, Pegasus can control all communication between devices, including calls, messages, emails, microphone and camera providers, location data, contacts and calendars [1]. The memory consumption can be discovered using covert methods, CPU cycles, and network traffic monitoring, despite the fact that the Pegasus file store was initially intended to target officials, politicians, journalists, and influencers.

Pegasus tool is produced by the Israeli company NSO Group. This surveillance tool is designed purposely to monitor specific individuals for national security. Although this tool is developed to be used by the government agencies but it has been a subject of significant controversies. These controversies arises as they are considered to be threat to human privacy, an abuse to human rights and potential misuse of surveillance technologies.

The allegation involves that government is spying on its officials and political opponents and even individuals or not even legitimate targets for surveillance. NSO group gave his assurance that their tool is used for legitimate purposes like for frightening crimes and terrorism. However, number of evidences and investigations have suggested that Pegasus has been used for questionable purposes by some people.

The way that this tool operates is by taking advantage of flaws in mobile devices, especially smartphones, to access personal data, including calls, texts, emails, and other communications. It may also be used to activate the camera and microphone, monitor the device’s position, and do a variety of other things, thereby transforming it into a robust surveillance tool.

The properties of Pegasus are thoroughly covered in this chapter, with special emphasis placed on those aspects that set it isolated from different spyware and malware in terms of difficulty in detection [2]. It also explains how Pegasus operates on both iOS and Android operating systems and suggests using advanced technologies like machine learning and AI to develop systems that can identify and prevent Pegasus, safeguarding devices from adware, malware, or spyware. Additionally, the chapter presents case studies demonstrating Pegasus’s evolution over time and proposes methods to prevent spyware from infiltrating and spreading on user devices. By following the practical safety guidelines outlined in this chapter, readers can learn how to protect themselves from Pegasus’s surveillance tool.

• Investigating the market origins and distribution of Pegasus.
• Examining how Pegasus operates and its ability to turn smartphones into listening devices by exploiting multiple vulnerabilities.
• Proposing various techniques to detect potential Pegasus attacks.
• Sharing advice on how to recognize the presence of Pegasus spyware on a device.
• Suggesting the utilization of command-line or terminal utilities to lower the likelihood of being affected by the Pegasus spyware.
• Providing practical recommendations to enhance awareness and protect devices from Pegasus spyware.

Spyware attacks have become increasingly sophisticated in recent years. In the past, malicious software could be installed by opening a suspicious email as early as a decade ago [3]. However, Pegasus spyware has now adopted a “mobile first” strategy, whereby it impersonates its users by sending links in text messages that appear to be from trusted sources. Clicking on these links gives Pegasus access to sensitive information, such as location data and financial information. From 2016 to 2021, Pegasus has become even more advanced and now uses “zero-click” technology, which relies on zero-day threats that are unknown to the user and remain unpatched [4]. To limit the success of Pegasus on user devices, the research paper titled “Pegasus: A Privacy Killer” recommends adopting basic precautions, like avoid unknown links, categorization of devices, and using reliable VPNs for all devices [5, 6]. Pegasus uses complex zero-day infection vectors to infiltrate devices. Once installed, try different ways to get access to victim’s data and transmits it to the server [7]. The way how Pegasus can attack and exploit your phone can be seen in Figure 1.1.

1. It uses GPS information to identify and differentiate targets and obtain precise information
2. The Pegasus spyware does not require coordination with local Mobile Network Operators (MNOs), making it independent of service providers.
3. It control both the content and devices it infects by utilizing proprietary protocols and SSL, commonly used in complex communications, which allows it to surpass encrypted information.
4. The surveillance includes monitoring various applications, such as Instagram, Twitter, WhatsApp, Skype, Viber etc.
5. Monitor VoIP and voice calls in real time (call interception).
6. Pegasus can recognize operational identities without the need for regularly switching virtual identities or while continuously surveilling/observing the device.

Figure 1.1 Pegasus impact.

1.2 Working of Pegasus

This spyware name Pegasus is a highly advance and dangerous tool that exploits “Zero-day Vulnerability,” a security weakness for which no patch or update is available or known by the manufacturer. Pegasus can silently infiltrate various Android and iOS devices and covertly monitor all device activities. By exploiting vulnerabilities in third-party spyware, Pegasus can take complete control of the device, allowing the attacker to perform various actions. To protect against such attacks, users must take proactive measures, such as installing antivirus software, regularly updating device firmware, and being vigilant when clicking on links from unknown sources.

Pegasus can access data like access your messages, location tracking, content surfing, can make calls from compromised phones, call logs can be accessed, access to photo, camera and Microphone can be accessed and an delete data and even retrieve the deleted files from the mobiles. Pegasus spyware directly transmit the data obtained from target’s phone straight to the data server of NSO group [8].

Pegasus spyware is a highly advanced malware that can be installed easily through physical contact, text or email and through calls and messages. It exploits vulnerabilities that have not been updated with a patch or are not known to the relevant parties. It can infiltrate a device through a missed call on WhatsApp or an iMessage on iPhones [9]. The Pegasus spyware utilizes a zero-click method that does not require any user interaction, making it challenging to detect. Even if a user tries to delete a suspicious message, the spyware can persist on the device and infect it [10].

Pegasus spyware is a highly sophisticated tool that can decrypt end-to-end encrypted messages and files, making it a potent weapon in espionage [11, 12]. Recent findings indicate that the latest versions of Pegasus can infiltrate devices through missed calls and delete the call logs to cover up the attack, making it harder to detect and track its actions. This poses a significant challenge for users who may not even be aware that their devices have been compromised [13].

A diagram depicting the general workflow of Pegasus can be seen in Figure 1.2.

Figure 1.2 Pegasus workflow.

The workflow of Pegasus on a normal device vs. an infected device can be seen in Figure 1.3. It is interesting to find how an infected device behave differently from the normal device. In normal device, the common phasis include