|Operating system||iOS, Android|
Pegasus is a spyware developed by the Israeli cyberarms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps.  The spyware is named after the mythical winged horse Pegasus—it is a Trojan horse that can be sent "flying through the air" to infect phones.
NSO Group was previously owned by American private equity firm Francisco Partners, but it was bought back by its founders in 2019. The company states that it provides "authorized governments with technology that helps them combat terror and crime." NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisticated" smartphone attack ever, and marked the first time that a malicious remote exploit using jailbreak to gain unrestricted access to an iPhone had been detected.
On August 23, 2020, according to intelligence obtained by the Israeli newspaper Haaretz, NSO Group sold Pegasus spyware software for hundreds of millions of US dollars to the United Arab Emirates and the other Gulf States, for surveillance of anti-regime activists, journalists, and political leaders from rival nations, with encouragement and mediation by the Israeli government. Later, in December 2020, the Al Jazeera investigative show The Tip of the Iceberg, Spy partners, exclusively covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.
In July 2021, widespread media coverage part of the Project Pegasus revelations along with an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets. It showed that Pegasus was able to infect all modern iOS versions up to the latest release, iOS 14.6, through a zero-click iMessage exploit.
Pegasus' iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab, who investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering. Citizen Lab linked the attack to the NSO Group.
Regarding how widespread the issue was, Lookout explained in a blog post: "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code" and pointed out that the code shows signs of a "kernel mapping table that has valued all the way back to iOS 7" (released 2013). The New York Times and The Times of Israel both reported that it appeared that the United Arab Emirates was using this spyware as early as 2013. It was used in Panama by former president Ricardo Martinelli from 2012 to 2014, who established the Consejo Nacional de Seguridad (National Security Council) for its use. Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate the software and therefore participated in numerous violations of human rights initiated by its clients. Two months after the murder and dismemberment of Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a Canadian resident, filed suit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.
The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system. Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim. Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.
At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS; Google refers to the Android version as Chrysaor, the brother of the winged horse Pegasus. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data. At the time Google said that only a few Android devices had been infected.
Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for over 60 days, or if on the wrong device. Pegasus can also do this on command.
Human rights group Amnesty International reported in the 2021 Project Pegasus revelations that Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver exploit payloads and send commands to Pegasus targets. There are at least four known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names, DNS servers, and other network infrastructure. The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional Internet scanning. PATN also uses up to three randomised subdomains unique per exploit attempt as well as randomised URL paths.
Although Pegasus is stated as intended to be used against criminals and terrorists, use by authoritarian governments to spy on critics and opponents has often been reported.
In late 2019, Facebook initiated a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved.
Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack. The results of the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours.
11 phone numbers associated with a female employee of the Supreme Court of India and her immediate family, who accused the former Chief Justice of India, Ranjan Gogoi, of sexual harrasment, are also allegedly found on a database indicating possibility of their phones being snooped.
Records also indicate that phone numbers of some of the key political players in Karnataka appear to have been selected around the time when an intense power struggle was taking place between the Bharatiya Janata Party and the Janata Dal (Secular)-Congress-led state government in 2019.
A leak of a list of over 50,000 phone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called "Project Pegasus", and a months-long investigation was carried out, which reported from mid-July 2021. The Pegasus Project involved 80 journalists from the media partners: The Guardian (UK), Radio France and Le Monde (France), Die Zeit and Süddeutsche Zeitung (Germany), The Washington Post (United States), Haaretz/TheMarker (Israel), Aristegui Noticias, Proceso, OCCRP, Knack, Le Soir, The Wire (India), Daraj, Direkt36 (Hungary), and PBS Frontline. Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware. However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable one. "This is an attempt to build something on a crazy lack of information...There is fundementally wrong with this investigation".
Lookout provided details of the three iOS vulnerabilities:
News of the spyware received significant media attention, particularly for being called the "most sophisticated" smartphone attack ever, and, for being the first detection of a remote Apple jailbreak exploit.
Dan Tynant of The Guardian wrote an August 2016 article that featured comments from NSO Group, where they stated that they provide "authorized governments with technology that helps them combat terror and crime", although the Group told him that they had no knowledge of any incidents.
The organization developing the open source phone Librem 5, Purism, stated that the best defense against such spyware would be for users and developers to have control over the software – so that they can and do fully inspect it to quickly detect and patch vulnerabilities globally – and the hardware – so that they can switch components off physically.
In the aftermath of the news, critics asserted that Apple's bug-bounty program, which rewards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market, rather than being reported back to Apple. Russell Brandom of The Verge commented that Apple's bug-bounty program, which rewards people who manage to find faults in its software, maxes out at payments of $200,000, "just a fraction of the millions that are regularly spent for iOS exploits on the black market". He goes on to ask why Apple doesn't "spend its way out of security vulnerabilities?", but also writes that "as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left. While spyware companies see an exploit purchase as a one-time payout for years of access, Apple’s bounty has to be paid out every time a new vulnerability pops up." Brandom also wrote; "The same researchers participating in Apple’s bug bounty could make more money selling the same finds to an exploit broker." He concluded the article by writing; "It's hard to say how much damage might have been caused if Mansoor had clicked on the spyware link... The hope is that, when the next researcher finds the next bug, that thought matters more than the money."
Presented content of the Wikipedia article was extracted in 2021-07-31 based on https://en.wikipedia.org/?curid=51424588