How Pegasus infects your phone | and spies on you without a click | Among its 50,000 potential targets are journalists, Union ministers, opposition netas, businessmen and activists, an investigation finds ‘Toes News Network eveloped by Israeli cyber intel- ligence NSO Group — known for its expertise in creating specialised cyber weapons — Pegasus is a highly sophisticated sur. veillance tool. It got widespread atten- tion in 2019 when WhatsApp alerted several users that a spyware had com- promised their phones. WhatsApp, Amnesty Internation- al and others sued NSO in the US in 2019, but Pegasus was reportedly used as early as 2016, when an Arab human rights activist’s iPhone was hacked. Within days, Apple released an iOS update that ‘reportedly patched the vulnerability targeted by Pegasus. Pegasus is in the middle of a massive controversy again with an international media collaboration re- porting an unidentified agency may be targeting journalists and others for surveillance with it. Among the 50,000 phone numbers found on a po: tential list for surveillance, 40 are of Indian journalists. Who has access and | what's it used for? Multiple reports have said Pegasus | is used for surveillance by agencies ‘across countries, but there is no clar- ity on which specific agency in which country uses it. ‘The investigation by Amnesty In- ternational and French media group Forbidden Stories has found that while most NSO servers are in Eu. rope, three are located in India and tased as attack infrastructure If NSO is to be believed, no non- governmental agency has access to its software. It says it has 60 govern: ment agency clients in 40 countries, ut has not named them. And while ‘WhatsApp and others allege Pegasus is spyware. NSO maintains it sells its | software “for the sole purpose of sav ing lives through preventing crime ANU LerTOF 3 vom “NSO does not operat 1e sys and nae ne visity tothe data, Our | technologies are being used every day te ctreak up pedophilia rings, sex and drug-trafficking rings, locate miss: ‘access almost any data on a phone VULNERABLE APPS SMS Emails Calling @e@ WHAT DATA CAN PEGASUS MALWARE STEAL? Pegasus can exploit weaknesses in messaging apps to steal data without any interaction from the user. Once installed, Pegasus can 300 Indian numbers tracked An investigation by Amnesty International and French media group Forbidden Stories found that of the 50,000 numbers potentially targeted by Pegasus since 2016, 300 have been identified as belonging to Indian journalists, activists, | business executives and opposition politicians. Altogether: caenir orsaaa conacs | 1,000 numbers from the full list government C)/ isentises cis | WhatsApp Photos & Microphone 50 countries | chats "videos CO) sins ee ). journalists, (0) \ 85 human including 40 CD) rights activists from india Activate Internet | carers. - browser 65 business executives ing and kidnapped children,” an NSO statement reads. How are phones hacked? Pegasus’ USP is its ability to invade a phone without a click from the tar- geted user. The Organized Crime and Corruption Reporting Project (OC: CRP) says earlier versions required a target's active participation. Pegasus operators sent text messages contain. ing a malicious link, which if clicked ‘on would open a malicious web page to download and execute the mal ware. But as people became better at spotting malicious spam, the use of “zero-click exploits’ began. Zero-click exploits use bugs in popular apps like iMessage, What: sApp, and FaceTime, which all re ceive and sort data, sometimes from unknown sources. “Once a vulnera- bility is found, Pegasus can infiltrate a device using the protocol of the ap ‘The user does not have to click on link, read a messag swer a call — they may not even see a missed call ‘or message,” OCCRP says. ‘Timothy Summers, a former cy. ber engineer at a US intelligence agency, described Pegasus as a nasty software. “It hooks into most mes. saging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple's built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population. It's apparent that NSO is offering an intelligence-agen. cy-as-a-service,” Summers had said to reporters. What type of surveillance? Basically, Pegasus can spy on every aspect of the target's life, research: ers from cybersecurity firm Kasper. sky say. It is modular malware — after scanning the target's device, it installs the necessary modules to read the user's messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contaets, ete Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording ca, pabilities, it was stealing messages | before they were encrypted (and, for incoming messages, after decryp. tion),” Kaspersky adds, Nee eee