Pegasus is the hacking software – or spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group. It has the capability to infect billions of phones running either iOS or Android operating systems. The earliest version of Pegasus discovered, which was captured by researchers in 2016, infected phones through what is called spear-phishing – text messages or emails that trick a target into clicking on a malicious link.

Pegasus infections can be achieved through so-called “zero-click” attacks, which do not require any interaction from the phone’s owner in order to succeed.

Where neither spear-phishing nor zero-click attacks succeed, Pegasus can also be installed over a wireless transceiver located near a target, or, according to an NSO brochure, simply manually installed if an agent can steal the target’s phone.

Once installed on a phone, Pegasus can harvest more or less any information or extract any file. SMS messages, address books, call history, calendars, emails and internet browsing histories can all be exfiltrated.

The tool, which is sold by the surveillance vendor to governments worldwide, is typically installed by either exploiting previously unknown security vulnerabilities in common apps or by tricking a potential target into clicking a malicious link. NSO Group calls itself “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies.” The list of phone numbers, while not including the names, is said to contain hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials, with the probe uncovering NSO Group clients in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the U.A.E.

The list of countries targeted by Pegasus includes Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

How to check if your phone is infected with Pegasus Spyware?

Thanks to researchers at Amnesty, who have worked on a toolkit called MVT or Mobile Verification Toolkit. Interestingly, the tool can also check for other malicious apps on the device as well. The open-source toolkit is available on GitHub for anyone curious to have a peek, inspect it and verify its reliability.  The Mobile Verification Toolkit can be found for both iOS and Android devices. For Android devices running forensics is much harder given the data logs are not always present. On iOS, the logs are stored for a much longer period. This is also the reason why Amnesty was able to find evidence of Pegasus more easily on iPhones.

To install the toolkit, users need to first install a Python Package which is available on the MVT (Mobile Verification Toolkit) website.

A full backup of your iOS device is requested as well for the tool to analyse. Keep in mind that for MacOS users running MVT needs Xcode and homebrew to be installed.

Also, Amnesty made it clear that while “MVT is capable of extracting and processing various types of very personal records typically found on a mobile phone (such as calls history, SMS and WhatsApp messages, etc.),” the tool is only meant for users who wish to check this out on their own.

Our Recommendations:

• Avoid installing any third-party software on your devices. This means that the only apps you should use are the ones available through official channels such as the App Store or Google Play.
• Avoid public connections and never click on a link or open an email attachment if you don’t know the source or aren’t expecting the link or document.
• Most spyware requires physical access to the phone to install, place a passcode lock on your phone (and don’t share it) to minimize the risk of someone installing spyware. Many devices allow you to choose between a number, pattern, thumbprint, or other security features.
• On Android phones, it is requested to turn on Google Play Protect, which will scan for apps with malware and viruses, which can protect the phone from most spyware. In addition, always install the latest operating system updates for your phone, which often include security patches.
• Do not root (for Android phones) or jailbreak (for iPhones) your phone. Many of the more invasive spyware features don’t work unless the phone is rooted or jailbroken. On iPhones, most spyware cannot be installed unless it is jailbroken. A rooted or jailbroken phone will be more vulnerable to viruses and malware and make it easier for spyware to be installed.