A deep dive into the spyware technology that is helping governments track your every move
In 2020, Amnesty International and the Paris-based non-profit Forbidden Stories found a significant data leak consisting of a list of 50,000 phone numbers of politicians, journalists, business professionals and activists from various countries across the globe. The information was then passed along to a global consortium of 17 media organizations, coming together under the umbrella name “The Pegasus Project.”
These phone numbers were from over 45 different countries across the globe. The data leak also contained details of the time and date when the numbers were selected or entered onto a system. The consortium sifted through this data to identity who the numbers belonged to and why were they on the list. Based on their findings, Amnesty International then conducted a forensic examination on the devices which held the leaked phone numbers. This revealed that at least 10 countries including Hungary, India, United Arab Emirates and Mexico had been accessing the numbers. The forensic examination identified that the leaked numbers had been infected with Pegasus spyware developed by the Israeli cyber arms firm NSO Group.
Before getting alarmed that your privacy might be at stake, take a look at what the spyware is, how it works and how it can be detected.
What is Pegasus spyware?
Pegasus is a spyware that can be covertly installed on a user’s devices to read their text messages, track their location and collect their passwords among a host of other forms of surveillance.
NSO firm, the company behind the spyware, markets it as a tool to track criminals and terrorists. They claim that the spyware tool is meant for targeted spying, not mass surveillance. The firm charges government agencies a flat fee of US$500,000 for installing the tool.
NSO’s charges can vary depending on the number of devices the government agency wishes to spy on. It also charges an annual maintenance fee which is 17% of the initial costs incurred by the governments.
How does the spyware work?
Earlier versions of Pegasus had to be installed on smartphones through spearfishing techniques. With this method, the user would be tricked into clicking a link or opening a document that secretly installs the spyware on their device.
Another way in which it used to attack devices was by using portable transceivers. These portable transceivers are devices that emulate legitimate cell towers and force smartphones within the area to connect to them.
In 2019, the spyware’s technology evolved further. Pegasus can now be installed on a user’s device with a missed call on WhatsApp. It can also delete this missed call notification from the user’s records, keeping them oblivious to its presence.
The latest version of the spyware uses zero-click hacks. Pegasus can now take advantage of the vulnerabilities of commonly used messaging applications like WhatsApp or iMessage to attack your device without making any form of contact with it. These applications receive and sort data from various sources regularly, which makes the applications an alluring target for hackers. A lack of direct contact with the device makes it impossible to know how and when the spyware entered the device.
How can you detect Pegasus?
Researchers at Amnesty International have developed a Mobile Verification Toolkit (MVT) to check whether your device has been infiltrated. The MVT works on both android and IOS devices but requires command-line knowledge to install. Unlike a standard app, you cannot just click on an icon to install it. The MVT needs to be compiled for a specific device that can only be achieved on Linux or Mac operating systems.
The MVT saves a copy of your phone’s data onto your computer and then checks whether any of it is infected with Pegasus. It specifically checks transfer data logs where the use of the spyware is easiest to trace. To put it simply, it checks whether any of your call logs or messages have been transferred to a third-party device.
What does this mean for the future?
Pegasus spyware and the analysis of its leaked data have sparked concerns over government surveillance. Government surveillance as a phenomenon predates spyware, with documented examples such as the Gestapo (Secret State Police) surveying the people of Nazi Germany.
What is concerning about Pegasus is the scale at which surveillance can now take place. The phone numbers of over 180 journalists from media organizations like Al Jazeera, The New York Times and CNN have been found in the data leaks.
What makes this even more concerning is that one of the names on the list was the Mexican freelance journalist Cecilio Pineda Birto. Birto was an experienced journalist, he covered crime social issues and corruptions through posts on his Facebook page Cecilio Pineda, Las Noticias al Instante (Cecilio Pineda: The Instant News). The consortium’s analysis shows that Birto’s number had been of interest to one of NCO’s Mexican clients in the weeks leading up to his murder.
NSO entirely denies all of the consortium’s claims, including its involvement with Birto. The firm says that it rigorously checks its customer’s human rights records before selling them the spyware. It has also come out with a transparency report with excerpts from its contracts specifying that customers must only use surveillance technology for criminal and national security investigations.
Nevertheless, the Israeli government has taken the matter into their own hands. They have set up an inquiry to check whether policy changes are required in surveillance tech exports. Their speedy response shows a glimmer of hope that the consortium’s analysis will prevent misuse of surveillance technology in the future.
Header image courtesy of Amnesty International