paint-brush
Understanding Pegasus: How to Trace the Untraceableby@z3nch4n
736 reads
736 reads

Understanding Pegasus: How to Trace the Untraceable

by Zen ChanSeptember 22nd, 2021
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Pegasus is a spyware that is developed, marketed, and licensed to governments worldwide by the Israeli cyber-surveillance company NSO Group. It is capable of infecting billions of phones using either iOS or Android operating systems. Pegasus is so powerful that it can monitor keystrokes, access microphones and camera. The worst thing is, the user may not even see any missed call or message. There’s a tool you can use to check whether Pegasus has infected your phone. The Mobile Verification Toolkit (VT) was created to assist with the forensic analysis of Android and iOS devices.

Companies Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - Understanding Pegasus: How to Trace the Untraceable
Zen Chan HackerNoon profile picture

Pegasus is originally Military-grade software for tracking terrorists and criminals. However, according to NSO Group, Pegasus is only used to “investigate terrorism and crime” and “leaves no traces.” It was first discovered in 2014, infected phones via spear-phishing: either specifically crafted text messages or emails that lure a target into clicking on a malicious link.

In short, Pegasus is a spyware that is developed, marketed, and licensed to governments worldwide by the Israeli cyber-surveillance company NSO Group. It is perhaps the most potent piece of spyware ever (certainly by a private company). It is capable of infecting billions of phones using either iOS or Android operating systems.

“Zero-click” Attacks

Using end-to-end encryption software like Whatsapp or Signal on mobile ensures the confidentiality of your conversation. But Pegasus is so powerful that it can monitor keystrokes, access microphone, and camera, and finally, turn the mobile device into a spying device of the user.

NSO enhance Pegasus attack capabilities ever since. At this moment, it is confirmed by the different testing reports that Pegasus can infect devices using “zero-click” attacks. (If you want to go through all the forensic details of Pegasus, you can visit the report here.)

As the name implied, “zero-click” attacks do not require any interaction from the victim (i.e., they can “leaves no traces” as claimed by NSO Group). Most recently, a successful “zero-click” attack has been reviewed, exploiting various zero-days to attack a fully patched iPhone 12 running iOS 14.6 (the updated version of iOS as of this moment) in July 2021.

Once a vulnerability is found, Pegasus can infiltrate a targeted device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call. The worst thing is, the user may not even see any missed call or message.

When comparing iOS with Android, iOS was considerably more secure, but Apple iPhone is no match for Pegasus despite all the hypes. Researchers have documented successful attacks against iOS in recent years via zero-day exploits.

Pegasus Network Injection Attacks

Knowing that your devices may be infected without notice, it is worth mentioning what kind of damage it can cause. One of the major parts of spyware is to capture the activities you make on the device.

In October 2019, the report by Amnesty International documented the URL redirection that happened in the infected devices. Therefore, it can be concluded that network injection attacks are performed either through tactical devices, such as rogue cell towers, or dedicated equipment installed at the network operator.

The follow-up report in 2020, focused on the Moroccan Journalists attacks, explained these URL redirections happen when the infected devices navigate not only via web browsers but also when using other apps. It “hooks” into messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others.

With the redirection happening before the URL's actual browsing, the spyware sends all your browsing activities, including those made from apps, to an open-source Textpattern content management system (CMS) which bypasses the encryption in place.

Pegasus’ BridgeHead

Despite the Amnesty International, Citizen Lab, and other reports regarding Pegasus spyware attacks based on the domain names and other network infrastructure used to carry the attacks. Other traces are showing that Pegasus left behind other malicious payloads.

As pointed out by Mobile Security Firm Lookout in their technical analysis of the Pegasus Exploits on iOS, the spyware could infect a system by the “zero-click” attacks using a vulnerability in the iOS. Afterward, it will maintain persistence of itself and leave exploit code on the device after reboot.

All traces reported point to the same process with the internal name assigned by NSO Group — “bh” or “BridgeHead.” This “bh” process appeared right after the successful network injection. Researchers believe that the BridgeHead module executes the following:

  1. completes the browser exploitation,
  2. roots the devices, and
  3. prepare for Pegasus suite full infection.

Use This Tool to Check If Your Phone’s Been Hacked by Pegasus

If you’re concerned about how terrifying that is, there’s a tool you can use to check whether Pegasus has infected your phone. The Mobile Verification Toolkit (MVT) was created to assist with the “consensual forensic analysis of Android and iOS devices, for the purpose of identifying traces of compromise,” according to its Github site.

This toolkit has been developed and released by the Amnesty International Security Lab in July 2021 in the context of the Pegasus project, and it supports two platforms: iOS and Android (Obviously).

mvt-project/mvt

You can find the documentation here.

Final Words

The most comprehensive investigation conducted regarding the impact of Pegasus was conducted by The Washington Post with 16 other media partners, and most importantly — a data leak led the consortium to a list of more than 50,000 phone numbers of activists, journalists, senior business executives, and politicians.

Two driving forces make this attack inevitable:

  • The increasing number of vulnerabilities found/ discovered on mobile apps/ OS itself;
  • The broad adoption of mobile devices by everyone, including journalists, politicians, activists, and business people worldwide — as well as terrorists and criminals;

Both of them have provided the foundation of the rise to the commercialization of such military-grade mobile hacking tools to whom willing to pay.

While the chances are pretty low that NSO’s spyware has targeted the ordinary mobile user, you never know. Even if you are on the latest update and keep everything under control, it is not much you can do right now to prevent the attack as mobile users.

The reveals of the whole Pegasus project fuel a debate about whether Apple and Google or other tech companies have done enough to protect their customers from unauthorized intrusions.

Also Published At: https://medium.com/technology-hits/takeaways-from-the-mighty-pegasus-the-nso-group-spyware-524e6fc3a698

For a more detailed technical review of Pegasus:

NSO Group Archives - The Citizen Lab

Forensic Methodology Report: How to catch NSO Group's Pegasus

Thank you for reading. May InfoSec be with you🖖.