- 1 Discovery
- 2 Spyware details
- 3 Use of spyware
- 4 Vulnerabilities
- 5 Reactions
- 6 See also
- 7 References
|Operating system||iOS, Android|
Pegasus is a spyware developed by the Israeli cyberarms firm NSO Group that can be covertly installed on mobile phones (and other devices) running most versions of iOS and Android. The 2021 Project Pegasus revelations suggest that the current Pegasus software can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus was capable of reading text messages, tracking calls, collecting passwords, location tracking, accessing the target device's microphone and camera, and harvesting information from apps.  The spyware is named after the mythical winged horse Pegasus—it is a Trojan horse that can be sent "flying through the air" to infect phones.
NSO Group was previously owned by American private equity firm Francisco Partners,, but it was bought back by its founders in 2019. The company states that it provides "authorized governments with technology that helps them combat terror and crime." NSO Group has published sections of contracts which require customers to use its products only for criminal and national security investigations and has stated that it has an industry-leading approach to human rights.
Pegasus was discovered in August 2018 after a failed installation attempt on the iPhone of a human rights activist led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited. News of the spyware caused significant media coverage. It was called the "most sophisticated" smartphone attack ever, and marked the first time that a malicious remote exploit using jailbreak to gain unrestricted access to an iPhone had been detected.
On August 23, 2020, according to intelligence obtained by the Israeli newspaper Haaretz, NSO Group sold Pegasus spyware software for hundreds of millions of US dollars to the United Arab Emirates and the other Gulf States, for surveillance of anti-regime activists, journalists, and political leaders from rival nations, with encouragement and mediation by the Israeli government. Later, in December 2020, the Al Jazeera investigative show The Tip of the Iceberg, Spy partners, exclusively covered Pegasus and its penetration into the phones of media professionals and activists; and its use by Israel to eavesdrop on both opponents and allies.
In July 2021, widespread media coverage part of the Project Pegasus revelations along with an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets. It showed that Pegasus was able to infect all modern iOS versions up to the latest release, iOS 14.6, through a zero-click iMessage exploit.
Pegasus' iOS exploitation was identified in August 2016. Arab human rights defender Ahmed Mansoor received a text message promising "secrets" about torture happening in prisons in the United Arab Emirates by following a link. Mansoor sent the link to Citizen Lab, who investigated, with the collaboration of Lookout, finding that if Mansoor had followed the link it would have jailbroken his phone and implanted the spyware into it, in a form of social engineering. Citizen Lab linked the attack to the NSO Group.
Regarding how widespread the issue was, Lookout explained in a blog post: "We believe that this spyware has been in the wild for a significant amount of time based on some of the indicators within the code" and pointed out that the code shows signs of a "kernel mapping table that has valued all the way back to iOS 7" (released 2013). The New York Times and The Times of Israel both reported that it appeared that the United Arab Emirates was using this spyware as early as 2013.
Several lawsuits outstanding in 2018 claimed that NSO Group helped clients operate the software and therefore participated in numerous violations of human rights initiated by its clients. Two months after the murder and dismemberment of Washington Post journalist Jamal Khashoggi, a Saudi human rights activist, in the Saudi Arabian Consulate in Istanbul, Turkey, Saudi dissident Omar Abdulaziz, a Canadian resident, filed suit in Israel against NSO Group, accusing the firm of providing the Saudi government with the surveillance software to spy on him and his friends, including Khashoggi.
The spyware can be installed on devices running certain versions of iOS, Apple's mobile operating system, as well as some Android devices. Rather than being a specific exploit, Pegasus is a suite of exploits that uses many vulnerabilities in the system. Infection vectors include clicking links, the Photos app, the Apple Music app, and iMessage. Some of the exploits Pegasus uses are zero-click—that is, they can run without any interaction from the victim. Once installed, Pegasus has been reported to be able to run arbitrary code, extract contacts, call logs, messages, photos, web browsing history, settings, as well as gather information from apps including but not limited to communications apps iMessage, Gmail, Viber, Facebook, WhatsApp, Telegram, and Skype.
At the 2017 Security Analyst Summit held by Kaspersky Lab, researchers revealed that Pegasus was available for Android in addition to iOS; Google refers to the Android version as Chrysaor, the brother of the winged horse Pegasus. Its functionality is similar to the iOS version, but the mode of attack is different. The Android version tries to gain root access (similar to jailbreaking in iOS); if it fails, it asks the user for permissions that enable it to harvest at least some data. At the time Google said that only a few Android devices had been infected.
Pegasus hides itself as far as is possible and self-destructs in an attempt to eliminate evidence if unable to communicate with its command-and-control server for over 60 days, or if on the wrong device. Pegasus can also do this on command.
Pegasus Anonymizing Transmission Network
Human rights group Amnesty International reported in the 2021 Project Pegasus revelations that Pegasus employs a sophisticated command-and-control (C&C) infrastructure to deliver exploit payloads and send commands to Pegasus targets. There are at least four known iterations of the C&C infrastructure, dubbed the Pegasus Anonymizing Transmission Network (PATN) by NSO group, each encompassing up to 500 domain names, DNS servers, and other network infrastructure. The PATN reportedly utilizes techniques such as registering high port numbers for their online infrastructure as to avoid conventional Internet scanning. PATN also uses up to three randomised subdomains unique per exploit attempt as well as randomised URL paths.
Use of spyware
Although Pegasus is stated as intended to be used against criminals and terrorists, use by authoritarian governments to spy on critics and opponents has often been reported.
Use by India
In late 2019, Facebook initiated a suit against NSO, claiming that Pegasus had been used to intercept the WhatsApp communications of a number of activists, journalists, and bureaucrats in India, leading to accusations that the Indian government was involved.
Independent digital forensic analysis conducted on 10 Indian phones whose numbers were present in the data showed signs of either an attempted or successful Pegasus hack. The results of the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance. The gap usually ranges between a few minutes and a couple of hours.
11 phone numbers associated with a female employee of the Supreme Court of India and her immediate family, who accused the former Chief Justice of India, Ranjan Gogoi, of sexual harrasment, are also allegedly found on a database indicating possibility of their phones being snooped.
Records also indicate that phone numbers of some of the key political players in Karnataka appear to have been selected around the time when an intense power struggle was taking place between the Bharatiya Janata Party and the Janata Dal (Secular)-Congress-led state government in 2019.
Use by Mexican drug cartels
Use by Saudi Arabia
Project Pegasus revelations
A leak of a list of over 50,000 phone numbers believed to have been identified as those of people of interest by clients of NSO since 2016 became available to Paris-based media nonprofit organisation Forbidden Stories and Amnesty International. They shared the information with seventeen news media organisations in what has been called "Project Pegasus", and a months-long investigation was carried out, which reported from mid-July 2021. The Pegasus Project involved 80 journalists from the media partners: The Guardian (UK), Radio France and Le Monde (France), Die Zeit and Süddeutsche Zeitung (Germany), The Washington Post (United States), Haaretz/TheMarker (Israel), Aristegui Noticias, Proceso, OCCRP, Knack, Le Soir, The Wire (India), Daraj, Direkt36 (Hungary), and PBS Frontline. Evidence was found that many phones with numbers in the list had been targets of Pegasus spyware. However, The CEO of NSO Group categorically claimed that the list in question is unrelated to them, the source of the allegations can't be verified as reliable one. "This is an attempt to build something on a crazy lack of information...There is fundementally wrong with this investigation".
Lookout provided details of the three iOS vulnerabilities:
- CVE-2016-4655: Information leak in kernel – A kernel base mapping vulnerability that leaks information to the attacker allowing them to calculate the kernel's location in memory.
- CVE-2016-4656: Kernel memory corruption leads to jailbreak – 32 and 64 bit iOS kernel-level vulnerabilities that allow the attacker to secretly jailbreak the device and install surveillance software – details in reference.
- CVE-2016-4657: Memory corruption in the webkit – A vulnerability in the Safari WebKit that allows the attacker to compromise the device when the user clicks on a link.
News of the spyware received significant media attention, particularly for being called the "most sophisticated" smartphone attack ever, and, for being the first detection of a remote Apple jailbreak exploit.
NSO Group comment
Dan Tynant of The Guardian wrote an August 2016 article that featured comments from NSO Group, where they stated that they provide "authorized governments with technology that helps them combat terror and crime", although the Group told him that they had no knowledge of any incidents.
The organization developing the open source phone Librem 5, Purism, stated that the best defense against such spyware would be for users and developers to have control over the software – so that they can and do fully inspect it to quickly detect and patch vulnerabilities globally – and the hardware – so that they can switch components off physically.
Bug-bounty program skepticism
In the aftermath of the news, critics asserted that Apple's bug-bounty program, which rewards people for finding flaws in its software, might not have offered sufficient rewards to prevent exploits being sold on the black market, rather than being reported back to Apple. Russell Brandom of The Verge commented that Apple's bug-bounty program, which rewards people who manage to find faults in its software, maxes out at payments of $200,000, "just a fraction of the millions that are regularly spent for iOS exploits on the black market". He goes on to ask why Apple doesn't "spend its way out of security vulnerabilities?", but also writes that "as soon as [the Pegasus] vulnerabilities were reported, Apple patched them—but there are plenty of other bugs left. While spyware companies see an exploit purchase as a one-time payout for years of access, Apple’s bounty has to be paid out every time a new vulnerability pops up." Brandom also wrote; "The same researchers participating in Apple’s bug bounty could make more money selling the same finds to an exploit broker." He concluded the article by writing; "It's hard to say how much damage might have been caused if Mansoor had clicked on the spyware link... The hope is that, when the next researcher finds the next bug, that thought matters more than the money."
- "Forensic Methodology Report: How to catch NSO Group's Pegasus". www.amnesty.org. Retrieved July 19, 2021.
- Timberg, Craig; Albergotti, Reed; Guéguen, Elodie (July 19, 2021). "Despite the hype, iPhone security no match for NSO spyware - International investigation finds 23 Apple devices that were successfully hacked". The Washington Post. Retrieved July 19, 2021.
- Boot, Max (December 5, 2018). "An Israeli tech firm is selling spy software to dictators, betraying the country's ideals". The Washington Post. Retrieved April 19, 2019.
- Bouquet, Jonathan (May 19, 2019). "May I have a word about… Pegasus spyware". The Guardian.
- Marczak, Bill; Scott-Railton, John (August 24, 2016). "The Million Dollar Dissident: NSO Group's iPhone Zero-Days used against a UAE Human Rights Defender". Citizen Lab. Retrieved December 21, 2016.
- Amitai Ziv "Israeli Cyberattack Firm NSO Bought Back by Founders at $1b Company Value; Two founders are partnering with European private equity fund Novalpina to purchase the controversial firm from Francisco Partners" February 14, 2019, Haaretz
- Franceschi-Bicchierai, Lorenzo (August 26, 2016). "Government Hackers Caught Using Unprecedented iPhone Spy Tool". Motherboard (website). Vice Media. Retrieved May 15, 2019.
- "What is Pegasus spyware and how does it hack phones?". The Guardian. July 18, 2021. Retrieved July 19, 2021.
- Kirchgaessner, Stephanie; Lewis, Paul; Pegg, David; Cutler, Sam (July 18, 2021). "Revealed: leak uncovers global abuse of cyber-surveillance weapon". The Observer.
- "With Israel's Encouragement, NSO Sold Spyware to UAE and Other Gulf States". Haaretz. Retrieved August 23, 2020.
- "Al Jazeera journalists 'hacked via NSO Group spyware'". BBC News. December 21, 2020. Retrieved March 10, 2021.
- "Al Jazeera journalists hacked using Israeli firm's spyware". Al Jazeera. Retrieved March 10, 2021.
- Lee, Dave (August 26, 2016). "Who are the hackers who cracked the iPhone?". BBC News.
- "Sophisticated, persistent mobile attack against high-value targets on iOS". Lookout. August 25, 2016. Retrieved December 21, 2016.
- Kirkpatrick, David; Ahmed, Azam (August 31, 2018). "Hacking a Prince, an Emir and a Journalist to Impress a Client". The New York Times. Retrieved August 31, 2018.
- Perlroth, Nicole (September 2, 2016). "How Spy Tech Firms Let Governments See Everything on a Smartphone". The New York Times. Retrieved August 31, 2018.
- "Lawsuits claim Israeli spyware firm helped UAE regime hack opponents' phones". The Times of Israel. August 31, 2018. Retrieved August 31, 2018.
- Perlroth, Nicole (August 25, 2016). "IPhone Users Urged to Update Software After Security Flaws Are Found". The New York Times. Retrieved December 21, 2016.
- Fox-Brewster, Thomas (August 25, 2016). "Everything We Know About NSO Group: The Professional Spies Who Hacked iPhones With A Single Text". Forbes. Retrieved December 21, 2016.
- John Snow (August 17, 2017). "Pegasus: The ultimate spyware for iOS and Android". Kaspersky Daily.
- Bhattacharya, Ananya. "What is Pegasus and how did it target Indians on WhatsApp?". Quartz. Retrieved March 10, 2021.
- "Did Indian Govt Buy Pegasus Spyware? Home Ministry's Answer Is Worrying". HuffPost. November 19, 2019. Retrieved March 10, 2021.
- "Indian Activists, Lawyers Were 'Targeted' Using Israeli Spyware Pegasus". The Wire. Retrieved March 10, 2021.
- "Phones Of Indian Politicians, Journalists Hacked Using Pegasus: 10 Facts On Report". NDTV. Retrieved July 19, 2021.
- "Pegasus spyware used to 'snoop' on Indian journalists, activists". The Hindu. Special Correspondent. July 19, 2021. ISSN 0971-751X. Retrieved July 19, 2021.CS1 maint: others (link)
- "Phones of 2 Ministers, 3 Opp leaders among many targeted for surveillance: report". The Indian Express. July 19, 2021. Retrieved July 19, 2021.
- "Snoop List Has 40 Indian Journalists, Forensic Tests Confirm Presence of Pegasus Spyware on Some". thewire.in. Retrieved July 21, 2021.
- "Eleven phones targeted: Of woman who accused ex-CJI of harassment, kin". The Indian Express. July 20, 2021. Retrieved July 21, 2021.
- "Days After Accusing CJI Gogoi of Sexual Harassment, Staffer Put on List of Potential Snoop Targets". thewire.in. Retrieved July 21, 2021.
- "Leaked Snoop List Suggests Surveillance May Have Played Role in Toppling of Karnataka Govt in 2019". thewire.in. Retrieved July 21, 2021.
- Bureau, Karnataka Bureau & New Delhi (July 20, 2021). "Key Cong-JDS leaders were 'possible targets' of Pegasus spyware during 2019 crisis: report". The Hindu. ISSN 0971-751X. Retrieved July 21, 2021.
- "China, Iran diplomats among people in Pegasus list: Report". July 20, 2021.
- "'It's a free-for-all': how hi-tech spyware ends up in the hands of Mexico's cartels". The Guardian. December 7, 2020.
- Ahmed, Azam, and Perlroth, Nicole, "Using Texts as Lures, Government Spyware Targets Mexican Journalists and Their Families", The New York Times, June 19, 2017
- Kirkpatrick, David D. (December 2, 2018). "Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says (Published 2018)". The New York Times. ISSN 0362-4331. Retrieved March 10, 2021.
- Burgess, Matt (January 23, 2020). "If Saudi Arabia did hack Jeff Bezos, this is probably how it went down". Wired UK. Archived from the original on July 20, 2021.
- Sarkar, Debashis (January 23, 2020). "Forensic report reveals Israeli spyware Pegasus behind Jeff Bezos's phone hack". Times of India. Archived from the original on July 20, 2021.
- "BJP Fields State Leaders to Tackle Pegasus Allegations, Uses 'International Conspiracy' Bogey". The Wire. Retrieved July 21, 2021.
- "Israel Helped Over Ten Countries Tap Over 50,000 Phones". Daraj. July 18, 2021.
- "Direkt36" (in Hungarian). Retrieved July 19, 2021.
- "About The Pegasus Project". Forbidden Stories. Retrieved July 19, 2021.
- "THE PEGASUS PROJECT Live Blog: Major Stories from Partners". FRONTLINE. Retrieved July 21, 2021.
- "NSO CEO exclusively responds to allegations: "The list of 50,000 phone numbers has nothing to do with us" | Ctech". m.calcalistech.com. Retrieved July 21, 2021.
- Esser, Stefan (September 5, 2016). "PEGASUS iOS Kernel Vulnerability Explained – Part 2". SektionEins GmbH. Retrieved August 31, 2019.
- Szoldra, Paul (August 26, 2016). "Inside 'Pegasus,' the impossible-to-detect software that hacks your iPhone". Business Insider. Axel Springer SE. Retrieved December 21, 2016.
- Roettgers, Janko (August 26, 2016). "This App Can Tell if an iPhone Was Hacked With Latest Pegasus Spy Malware". Variety. Retrieved December 21, 2016.
- Newman, Lily Hay (August 25, 2016). "A Hacking Group Is Selling iPhone Spyware to Governments". Wired. Retrieved December 21, 2016.
- Swartz, Jon; Weise, Elizabeth (August 26, 2016). "Apple issues security update to prevent iPhone spyware". USA Today. Retrieved December 21, 2016.
- Tamblyn, Thomas (August 26, 2016). "What Is The "Pegasus" iPhone Spyware And Why Was It So Dangerous?". HuffPost. AOL. Retrieved December 21, 2016.
- Khan, Sami (August 27, 2016). "Meet Pegasus, the most-sophisticated spyware that hacks iPhones: How serious was it?". International Business Times. IBT Media. Retrieved December 21, 2016.
- Brandom, Russell (August 25, 2016). "A serious attack on the iPhone was just seen in use for the first time". The Verge. Retrieved December 21, 2016.
- Tynan, Dan (August 25, 2016). "Apple issues global iOS update after attempt to use spyware on activist's iPhone". The Guardian. Retrieved December 21, 2016.
- "Defending Against Spyware Like Pegasus". Purism. July 21, 2021. Retrieved July 22, 2021.
- Brandom, Russell (August 26, 2016). "Why can't Apple spend its way out of security vulnerabilities?". The Verge. Retrieved December 21, 2016.