Pegasus Spyware: How It Works and Where It Has Been Used

By Ava McKinneyOnline Safety

Pegasus: How It Works and Where It Has Been Used

NSO Group is an Israeli IT company specializing in software that extracts data from smartphones by bypassing their security mechanisms—in other words, spyware. The company has been repeatedly accused of collaborating with authoritarian regimes that use its products to surveil opposition figures.

NSO Group was founded in 2010 by former Israeli intelligence officers (the name comes from the founders: Niv Karmi, Shalev Hulio, Omri Lavie). Initial funding came from a group of investors led by Eddy Shalev, a partner at the Israeli venture fund Genesis Partners.

In 2014, NSO Group was acquired by the American investment firm Francisco Partners, which specializes in technology sector investments. In 2019, company founders Hulio and Lavie, together with European investment firm Novalpina Capital, bought back a controlling stake in NSO Group (the third founder left the company early on).

Pegasus

The company’s main product is Pegasus—software that can be remotely installed on iOS or Android smartphones (the main focus appears to be iOS, but there is also targeting of Android, though this information may be outdated) without the owner’s knowledge, collecting data from the device. Another product, Circles (a company merged with NSO Group in 2014), allows the location of a smartphone to be determined anywhere in the world within seconds.

Pegasus exploits a range of vulnerabilities (including zero-day vulnerabilities) that allow it to target different versions of these operating systems (code analysis shows the software is applicable to iPhones starting from version 5).

This software is licensed by Israel’s Ministry of Defense as a “weapon” for export purposes, and only other governments—not private individuals—can purchase it (though NSO Group also uses its offices in Cyprus and Bulgaria for exports). Notably, the company charges based on the number of targets being surveilled, in addition to a fixed usage fee.

Where Pegasus Has Been Used

The following countries have purchased and used Pegasus to surveil opposition figures:

  • Mexico
    • Surveillance of Carmen Aristegui, who in 2014 investigated corruption involving the then-president’s wife, popular journalist Carlos Loret de Mola, and possibly journalist Rafael Cabrera.
    • Surveillance of activists investigating the 2014 kidnapping and presumed murder of 43 people by drug cartels.
    • Surveillance of Juan E. Pardinas, who was developing anti-corruption legislation.
    • Attacks were carried out via text messages with malicious links.
    • Used to capture the infamous drug lord JoaquĂ­n “El Chapo” Guzmán.
    • Corrupt Mexican authorities and drug cartels used the software to monitor journalists opposing them.
  • Saudi Arabia
    • Used to surveil journalists and activists investigating government activities.
    • In 2018, Amnesty International accused Saudi Arabia of using Pegasus to spy on its employees.
    • Used in the organization of the murder of dissident Jamal Khashoggi. After this incident, NSO Group froze its cooperation with Saudi authorities.
    • Allegedly used to hack Jeff Bezos’s phone, with Crown Prince Mohammed bin Salman sending him a message.
    • Used to surveil Amnesty International staff working on Saudi issues.
  • UAE
    • Used to surveil opposition figures, including Ahmed Mansoor, who was unsuccessfully targeted with a malicious link sent to his iPhone. Citizen Lab’s investigation of this link provided the first technical data on Pegasus’s operation.
  • Morocco
  • Spain
  • India
    • Pegasus use was first identified by Citizen Lab researchers in 2018, with one operator (“Ganges”) active mainly in Indian internet networks.
    • In 2019, 121 people—including journalists, activists, and human rights lawyers—were targeted. The Indian government under Prime Minister Narendra Modi was suspected; opposition members in parliament demanded a Supreme Court investigation.
    • In 2019, it was reported that several dozen high-ranking Pakistani officials, including defense and intelligence representatives, were surveilled. In both cases, a WhatsApp vulnerability was used.
  • Panama
    • According to Univision, up to 150 people were surveilled between 2012 and 2014, initiated by former president Ricardo Martinelli, targeting political opponents and other persons of interest.
  • Togo
  • Rwanda
  • Azerbaijan
  • Bahrain
  • Hungary
  • Kazakhstan
  • Kenya

It is possible the software was used to surveil unknown individuals in these countries as well.

What About Russia?

Interestingly, NSO Group products (and similar tools) do not appear to be used by Russian authorities. The exact reason is unknown, but according to Andrei Soldatov, editor-in-chief of Agentura.ru, this is due to Russia producing (and exporting) its own spyware, and a general distrust of foreign products in this field (especially after leaks involving NSO Group), which could allow developers (and their home intelligence agencies) to collect client data.

With Pegasus, infected devices are managed via NSO Group servers. A leaked list of 50,000 phone numbers showed the extent of interest from NSO clients. In 2018, Citizen Lab accused NSO Group of surveillance by actors linked to the company. In 2019, one such person was identified as former Israeli security officer Aharon Almog-Assouline.

Once Pegasus gains access to a device, it can allegedly intercept all communications (SMS, calls, messages in popular messengers, emails, etc.), collect location data and Wi-Fi passwords, data from other apps, and access the microphone, camera, contacts, and browser history. This is achieved by obtaining elevated privileges (rooting for Android, jailbreaking for Apple devices).

How Does Pegasus Spy?

The technologies Pegasus uses to hack devices are not publicly disclosed, but some can be analyzed based on known incidents. In 2019, WhatsApp accused NSO Group of using Pegasus to exploit the CVE-2019-3568 vulnerability (which allowed remote code execution during audio calls via special RTCP packets, leading to memory buffer overflow; the victim did not need to answer the call).

In a lawsuit against NSO Group, WhatsApp representatives stated that the targets included “lawyers, journalists, human rights activists, political dissidents, diplomats, and other prominent officials.” According to WhatsApp, attacks originated from NSO Group servers, and after the malicious code was deployed, it was used to communicate with the compromised device, extract data, and update Pegasus on the device.

Leaked documents from Italian spyware company Hacking Team revealed that phishing links are called Enhanced Social Engineering Messages (ESEM). After clicking, the victim is routed through a chain of NSO Group anonymizing servers (PATN) to hide the client’s server location. The server that tries to secretly install the software is called the Pegasus Installation Server (others include Pegasus Data Server for C&C). If the attack fails, the victim is redirected to a site specified by the attacker.

To reduce detection, the attack server only accepts connections from certain countries or OS versions and likely deactivates links after a short period (about 24 hours). In 2016, Citizen Lab researchers discovered a sprawling online infrastructure of an unknown hacker group they called Stealth Falcon (some phishing resources were disguised as humanitarian organizations like the Red Cross or media sites). They found a code string “PegasusProtocol” and determined that a malicious link led to a Stealth Falcon server, whose IP was also registered to an NSO Group employee.

In 2018, after surveillance of an Amnesty International employee was discovered, an investigation identified servers belonging to NSO Group (some previously identified by Citizen Lab). This was done by creating digital fingerprints of the servers used in the attack and searching for others with similar fingerprints. Another overlap with Citizen Lab’s findings was the use of self-signed TSL certificates. Amnesty International also found that most phishing domains were registered during Israel’s workweek, and some domain names hinted at specific geographic regions (e.g., “zm” for Zambia, or odnoklass-profile[.]com for Russian-speaking regions). Other domains mimicked real news organizations (e.g., gulf-news[.]info for gulfnews.com or breaking-news[.]co).

Vulnerabilities Used by Pegasus

  • CVE-2016-4655 — iOS kernel vulnerability allowing attackers to obtain information about the kernel’s location in memory.
  • CVE-2016-4656 — iOS kernel vulnerability allowing attackers to silently jailbreak the device via memory corruption.
  • CVE-2016-4657 — WebKit (Safari browser engine) vulnerability allowing attackers to take control of the device after the victim clicks a malicious link.

A December 2020 Citizen Lab report indicated that NSO Group shifted focus to zero-click vulnerabilities and network attacks, making detection harder. Their August 2021 report stated that Pegasus successfully exploited the FORCEDENTRY (CVE-2021-30860) vulnerability in Apple operating systems (patched in September 2021). It is likely that Pegasus uses other, as-yet-undiscovered vulnerabilities as well.

Pegasus hides its presence on infected systems. If it cannot contact its C&C server within 60 days, it self-destructs (or can do so on command). The C&C infrastructure, called the Pegasus Anonymizing Transmission Network (PATN), reportedly consists of 500 domains, DNS servers, and other network infrastructure. One PATN method is to operate on high-numbered ports to avoid standard port scanners. For each attack attempt, PATN generates unique subdomains and URLs, never reusing them, making detection difficult.

According to cybersecurity researcher Juan Andrés Guerrero-Saade, the system is installed on the client’s servers, and to initiate an attack, the operator simply enters the victim’s phone number. The system tests the number and generates a one-time delivery mechanism for the exploit. Each client likely receives a unique segment of NSO’s infrastructure (mainly a set of phishing domains, which may be registered by NSO or the client’s operator). It is impossible to say for sure whether NSO has access to the list of victims (the company denies this).

Citizen Lab identified three iterations of NSO Group’s infrastructure:

  • Version 1 — identified from historical data;
  • Version 2 — identified during the Stealth Falcon investigation, with some IP overlap with Version 1; likely deactivated by NSO after Citizen Lab’s 2016 report;
  • Version 3 — identified in 2018, with some IP and domain overlap with Version 2.

How to Protect Yourself

The only reliable way to protect yourself is not to click on suspicious links. It’s also helpful to make regular backups and enable two-factor authentication.

You can also check out TechCrunch’s guide on how to detect Pegasus malware on your device. This requires the Mobile Verification Toolkit and configuration files from Amnesty International’s GitHub.

On the other hand, if you are not a political activist, it is unlikely that Pegasus would be used against you.

Leave a Reply