Discovery

As of August 2016 – according to a former NSO employee – the U.S. version of

Pegasus had 1-click capabilities for all phones apart from old Blackberry models
which could be infiltrated with a 0-click attack.[37]
Pegasus hides itself as far as is possible and self-destructs in an attempt to
eliminate evidence if unable to communicate with its command-and-control server for
more than 60 days, or if on the wrong device. Pegasus can also self-destruct on
command.[35] If it is not possible to compromise a target device by simpler means,
Pegasus can be installed by setting up a wireless transceiver near a target device,
or by gaining physical access to the device.[36]

Since 2019, Pegasus has come to rely on iPhone iMessage vulnerabilities to deploy
spyware.[36]
NSO Group developed its first iteration of Pegasus spyware in 2011.[5] The company
states that it provides "authorized governments with technology that helps them
combat terror and crime."[11][12] NSO Group has published sections of contracts
which require customers to use its products only for criminal and national security
investigations and has stated that it has an industry-leading approach to human
rights.[13]

In 2019, WhatsApp revealed Pegasus had employed a vulnerability in its app to

launch zero-click attacks (the spyware would be installed onto a target's phone by
calling the target phone; the spyware would be installed even if the call was not
answered).[36]

Technical details
The spyware can be installed on devices running certain versions of iOS, Apple's
mobile operating system, as well as some Android devices.[31] Rather than being a
specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in
the system. Infection vectors include clicking links, the Photos app, the Apple
Music app, and iMessage. Some of the exploits Pegasus uses are zero-click — that
is, they can run without any interaction from the victim. Once installed, Pegasus
has been reported to be able to run arbitrary code, extract contacts, call logs,
messages, photos, web browsing history, settings,[32] as well as gather information
from apps including but not limited to communications apps iMessage, Gmail, Viber,
Facebook, WhatsApp, Telegram, and Skype.[33]

In April 2017, after a Lookout report, Google researchers discovered Android

malware "believed to be created by NSO Group Technologies" and named it Chrysaor
(Pegasus' brother in Greek mythology). According to Google, "Chrysaor is believed
to be related to the Pegasus spyware".[34] At the 2017 Security Analyst Summit held
by Kaspersky Lab, researchers revealed that Pegasus was available for Android in
addition to iOS. Its functionality is similar to the iOS version, but the mode of
attack is different. The Android version tries to gain root access (similar to
jailbreaking in iOS); if it fails, it asks the user for permissions that enable it
to harvest at least some data. At the time Google said that only a few Android
devices had been infected.[35]
Pegasus's iOS exploitation was identified in August 2016. Arab human rights
defender Ahmed Mansoor received a text message promising "secrets" about torture
happening in prisons in the United Arab Emirates by following a link. Mansoor sent
the link to Citizen Lab of the University of Toronto, which investigated, with the
collaboration of Lookout, finding that if Mansoor had followed the link it would
have jailbroken his phone and implanted the spyware into it, in a form of social
engineering.[14]
Development of capabilities
The earliest version of Pegasus – which was identified in 2016 – relied on a spear-
phishing attack which required the target to click a malicious link in a text
message or email.[36]

As of March 2023, Pegasus operators were able to remotely install the spyware on
iOS versions through 16.0.3 using a zero-click exploit.[3] While the capabilities
of Pegasus may vary over time due to software updates, Pegasus is generally capable
of reading text messages, call snooping, collecting passwords, location tracking,
accessing the target device's microphone and camera, and harvesting information
from apps.[4][5] The spyware is named after Pegasus, the winged horse of Greek
mythology.[6]

Cyber watchdog Citizen Lab and Lookout Security published the first public
technical analyses of Pegasus in August 2016 after they captured the spyware in a
failed attempt to spy on the iPhone of a human rights activist.[7][8] Subsequent
investigations into Pegasus by Amnesty International, Citizen Lab, and others have
garnered significant media attention, most prominently in July 2021 with the
release of the Pegasus Project investigation, which centered on a leaked list of
50,000 phone numbers reportedly selected for targeting by Pegasus customers.[9][10]

Background Citizen Lab and Lookout discovered that the link downloaded software to
exploit three previously unknown and unpatched zero-day vulnerabilities in iOS.[7]
[8] According to their analysis, the software can jailbreak an iPhone when a
malicious URL is opened. The software installs itself and collects all
communications and locations of targeted iPhones. The software can also collect Wi-
Fi passwords.[15] The researchers noticed that the software's code referenced an
NSO Group product called "Pegasus" in leaked marketing materials.[16] Pegasus had
previously come to light in a leak of records from Hacking Team, which indicated
the software had been supplied to the government of Panama in 2015.[17] Citizen Lab
and Lookout notified Apple's security team, which patched the flaws within ten days
and released an update for iOS.[18] A patch for macOS was released six days later.
[19]
Spyware developed by the Israeli cyber-arms company NSO Group that is designed to
be covertly and remotely installed on mobile phones running iOS and Android.[1]
While NSO Group markets Pegasus as a product for fighting crime and terrorism,
governments around the world have routinely used the spyware to surveil
journalists, lawyers, political dissidents, and human rights activists.[2]

Regarding how widespread the issue was, Lookout explained in a blog post: "We
believe that this spyware has been in the wild for a significant amount of time
based on some of the indicators within the code" and pointed out that the code
shows signs of a "kernel mapping table that has values all the way back to iOS 7"
(released 2013).[20] The New York Times and The Times of Israel both reported that
it appeared that the United Arab Emirates was using this spyware as early as 2013.
[21][22][23] It was used in Panama by former president Ricardo Martinelli from 2012
to 2014, who established the Consejo de Seguridad Pública y Defensa Nacional
(National Security Council) for its use.[24][25][26][27]

Chronology
Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate
the software and therefore participated in numerous violations of human rights
initiated by its clients.[23] Two months after the murder and dismemberment of The
Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the
Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a
Canadian resident, filed suit in Israel against NSO Group, accusing the firm of
providing the Saudi government with the surveillance software to spy on him and his
friends, including Khashoggi.[28]
In December 2020, an Al Jazeera investigative show The Hidden is More Immense
covered Pegasus and its penetration into the phones of media professionals and
activists; and its use by Israel to eavesdrop on both opponents and allies.[29][30]

By 2020, Pegasus shifted towards zero-click exploits and network-based attacks.

These methods allowed clients to break into target phones without requiring user
interaction and without leaving any detectable traces.[38][39]

Apple Inc in a lawsuit against US-based cybersecurity startup, Corellium, alleged

that it sold its virtualization technology to the NSO group and other such "bad
actors" and actively encouraged them to find 0-day exploits.[40]

Vulnerabilities
Lookout provided details of the three iOS vulnerabilities:[20]

CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability

that leaks information to the attacker allowing them to calculate the kernel's
location in memory.
CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS
kernel-level vulnerabilities that allow the attacker to secretly jailbreak the
device and install surveillance software – details in reference.[41]
CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari
WebKit that allows the attacker to compromise the device when the user clicks on a
link.
Google's Project Zero documented another exploit, dubbed FORCEDENTRY, in December
2021. According to Google's researchers, Pegasus sent an iMessage to its targets
that contained what appeared to be GIF images, but which in fact contained a JBIG2
image. A vulnerability in the Xpdf implementation of JBIG2, re-used in Apple's iOS
phone operating software, allowed Pegasus to construct an emulated computer
architecture inside the JBIG2 stream which was then used to implement the zero-
click attack. Apple fixed the vulnerability in iOS 14.8 in September 2021 as CVE-
2021-30860.[42]

As of July 2021, Pegasus likely uses many exploits, some not listed in the above
CVEs.[31]

Pegasus Anonymizing Transmission Network

Human rights group Amnesty International reported in the 2021 investigation that
Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver
exploit payloads and send commands to Pegasus targets. There are at least four
known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing
Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names,
DNS servers, and other network infrastructure. The PATN reportedly utilizes
techniques such as registering high port numbers for their online infrastructure as
to avoid conventional internet scanning. PATN also uses up to three randomised
subdomains unique per exploit attempt as well as randomised URL paths.[31]