Avast_Blog_Security News: Understanding the Pegasus project

[harlan4096]

Although the chances of being struck by Pegasus are low, there's still many reasons to practice safe computing on your phone

Earlier in July, a group of security researchers revealed that they had been working together to uncover a widespread surveillance of journalists, politicians, government officials, chief executives, and human rights activists. The tool of choice for these activities was the Israeli NSO Group’s Pegasus, a tool that can be deployed on Android and Apple smartphones with a great deal of stealth.

The researchers include three different groups:

• The Forbidden Stories project, based in Paris. At this link, you can find the full list of the stories that have been published by more than a dozen media partners around the world, including English coverage by the Guardian, the Washington Post, and NPR’s Frontline documentary team. (You can use translation services for coverage published in other languages.)
  
  
• Amnesty International’s Berlin-based Security Lab, who help support individuals who have been targeted from cyberattacks with their custom-made tools and training to identify compromised equipment. Their full forensic report on Pegasus can be found here. The lab also developed a detection tool that can verify if Pegasus has been run on your own phone. This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analyzing a backup taken from the device.
  
  
• This December 2020 report from The Citizen Lab is another useful resource. This is a Toronto-based research group that has deep knowledge of international spyware tactics and techniques and has published numerous reports over the years. At the time of publishing, the researchers had found 36 iPhones and attributed the attacks to groups in Saudi Arabia and the UAE. This report is also a good place to learn more about the political background of this region and the role played by NSO’s Pegasus spyware.
  

What is Pegasus and how does it work?

Jakub Vavra, a Mobile Threat Analyst at Avast, has taken a closer look at Pegasus. “Pegasus is a remote access tool (RAT) with spyware capabilities. Its Android variants are capable of extracting data from popular messengers such as WhatsApp, Facebook and Viber as well as email clients and browsers. The spyware is capable of remote surveillance through the phone’s microphone and camera as well as taking screenshots and keylogging the user's inputs. Since 2016, we have tracked and blocked several attempts by Pegasus spyware to breach Android phones, most of them in 2019.”

“Avast blocks Pegasus like any other spyware. Pegasus is used only on a few individuals, apparently, for surveillance purposes. The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high. Pegasus can monitor a variety of popular messengers and email providers such as Facebook, WhatsApp, Gmail, Telegram and others.”
Pegasus gains access to your phone through a variety of mechanisms, including a zero-day vulnerability in Apple’s iMessage app. A victim receives a message with a malicious link, which leads to a page that exploits a vulnerability in the device’s built-in browser.
It’s unlikely that the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active. What’s interesting about the Pegasus reporting is that many of the targets show a tight correlation between timestamps associated with when their mobile numbers were listed and when Pegasus entered their phones — in some cases, these were as brief as a few seconds. To me, this is the smoking gun behind all the work done on the project. Someone was interested in these parties, someone who was a client of NSO and who could target their tool to these individuals.
...

Continue Reading