Introduction

Pegasus is spyware developed by the Israeli cyber arms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android.  The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6.

As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device’s microphone and camera, and harvesting information from apps. The spyware is named after Pegasus, the winged horse of Greek mythology. It is a Trojan horse computer virus that can be sent “flying through the air” to infect cell phones.

NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company’s founders) is an Israeli technology firm primarily known for its proprietary spyware Pegasus, which is capable of remote zero-click surveillance of smartphones.

What happened

Citizen Lab, based at the University of Toronto, says it determined NSO used the vulnerability to remotely infect devices with its Pegasus spyware. Citizen Lab said it has now discovered new artifacts of the Forced Entry vulnerability, its details were first revealed in August as part of an investigation into the use of a zero-day vulnerability that was used to silently hack into iPhones

Apple has released iOS 14.8, iPadOS 14.8, watchOS 7.6.2, macOS Big Sur 11.6, and Safari 14.1.2 to fix two actively exploited vulnerabilities, one of which defeated extra security protections built into the operating system.

Pegasus can be deployed as a “zero-click exploit,” meaning that the spyware can install itself without the victim even clicking a booby-trapped link or file

Impact

Using the zero-click infection method, Pegasus can turn on a user’s camera and microphone, record messages, texts, emails, calls — even those sent via encrypted messaging and phone apps like Signal — and send them back to NSO’s clients at governments around the world.

The list of two flaws is as follows –

• CVE-2021-30858 (WebKit) – A use after free issue that could result in arbitrary code execution when processing maliciously crafted web content. The flaw has been addressed with improved memory management.
• CVE-2021-30860 (CoreGraphics) – An integer overflow vulnerability that could lead to arbitrary code execution when processing a maliciously crafted PDF document. The bug has been remediated with improved input validation.

CVE-2021-30858, on the other hand, is the latest in a number of WebKit zero-day flaws Apple has rectified this year alone. With this set of latest updates, the company has patched a total of 15 zero-day vulnerabilities since the start of 2021.

Recommendation

• Apple iPhone, iPad, Mac, and Apple Watch users are recommended to immediately update their software to mitigate any potential threats arising out of active exploitation of the flaws.
• Avoid installing any third-party software on the devices. This means that the only apps should use are the ones available through official channels such as the App Store or Google Play.
• Avoid public connections and never click on a link or open an email attachment if don’t know the source or aren’t expecting the link or document.
• Do not root (for Android phones) or jailbreak (for iPhones) the phone. Many of the more invasive spyware features don’t work unless the phone is rooted or jailbroken. On iPhones, most spyware cannot be installed unless it is jailbroken. A rooted or jailbroken phone will be more vulnerable to viruses and malware and make it easier for spyware to be installed.
• Most spyware requires physical access to the phone to install, place a passcode lock on the phone (and don’t share it) to minimize the risk of someone installing spyware. Many devices allow us to choose between a number, pattern, thumbprint, or other security features.