Israeli company, NSO group's Pegasus spyware is 'a big black hole' and near impossible to crack 'as the company keeps updating its modus operandi on how to attack mobile phones with malware,' says cyber expert Sandeep Shukla, speaking to The Quint.
Shukla is a professor of Computer Science and Engineering at IIT Kanpur, who also runs a government funded cyber security lab.
A global collaborative investigative project published by 17 media organisations on 18 July claims that mobile phones of at least 300 Indians were targeted by the NSO group using its Pegasus spyware. The list includes BJP ministers, opposition leaders, top lawyers, businessmen, rights activists and journalists.
Pegasus first made headlines in 2019 when Facebook-owned WhatsApp confirmed that the spyware was used to target around 1,400 users including journalists and human right activists in India. WhatsApp made this disclosure in a US law court in San Francisco.
WhatsApp claims to have fixed its software vulnerabilities that allowed Pegasus to penetrate a mobile phone just by giving the person a WhatsApp video missed call.
But Pegasus seems to have simply found other ways of spying on individuals' mobile phones.
The Quint spoke to cyber expert, Sandeep Shukla, to find out more about how the Pegasus spyware operates and what measures, if any, can be taken to protect mobile phones from being affected.
How does Pegasus inject malware into a user's mobile phone?
Prior to 2019, one of the methods used by Pegasus to penetrate mobile phones was through a WhatsApp video missed call. It seems WhatsApp fixed that vulnerability.
But now we have learnt that Pegasus is using Apple's messaging application, iMessage, available on iPhones, to inject malware in mobile phones. What Pegasus Spyware seems to be doing is that it's sending a properly drafted message on the phone embedded with a malware. The owner of the mobile phone doesn't even need to click on the message to activate the malware. Even if the victim deletes the message from iMessage, the malware would still penetrate the phone. It seems to me that iMessage has a similar bug that WhatsApp had earlier.
Does Pegasus keep changing its method of attacking mobile phones?
Yes. iMessage seems to be just one of the many methods. Most of the methods include so-called 'zero-click' which do not require any interaction with the user of the 'target phone'. Zero-click attacks have been observed since 2019 or maybe before and continue even now. Most recently this has been observed on iPhones.
You run a cyber security lab, have you tested any phone that was affected by Pegasus Spyware?
We have not tested any mobile phone in our lab that was infected with Pegasus Spyware. I would like to point out here that I or any cyber expert can ONLY find out whether a phone is infected with any malware or not. But it would be tough to say for sure whether the malware was specifically injected by Pegasus because NSO group keeps on redesigning its method of attacking an individual's phone. As of now, only the Citizen Lab has conducted forensic tests on a few mobile phones affected by Pegasus based on which they have profiled its modus operandi.
How does NSO group redesign its attacking method?
There has been a huge market for finding vulnerabilities in different gadget applications since the 90s. From governments to security agencies, to corporations, all have been interested. These are called 'zero-day vulnerability' markets. A zero-day vulnerability is an unpatched software flaw previously unknown to the software vendor. So, some very talented cyber experts, who work on finding vulnerabilities on various applications, they sell information about these vulnerabilities for millions of dollars which are further exploited by the purchaser.
If the vulnerability in an application is so critical that it can be exploited without any interaction the 'victim gadget' or the victim, (read 'zero click') then such information may be 'purchased' by companies like NSO group that offer high-end gadget 'surveillance' services. A company like NSO may either 'purchase' such information or develop new surveillance technology 'in-house'. This is how NSO is likely to ensure that Pegasus keeps changing and updating its means of attacking individuals' phones.
Can any anti-virus detect the malware injected by Pegasus?
Any anti-virus software can only read malware that it is already aware of. Eg: in case of the Bhima Koregaon activists, it seems an old malware called 'NetWire' was injected in the laptops of the accused. So, McAfee anti-virus detected it.
But in case of Pegasus, it is possible that the company wrote a completely new malware that McAfee or any other anti-virus firm may not be aware of. Hence, it would be tough to find out the malware. I am sure various forensic labs must be working hard on figuring out how to detect the Pegasus malware.
But again, nothing is stopping Pegasus from designing a new malware. I have learnt that they keep checking whether any anti-virus software has been able to detecting its malware. If and when that happens, Pegasus updates its malware. So this is actually an on-going war.
The NSO group, in its defence, claims that they spy only on terrorists and terrorist organisations. What do you have to say?
I feel that NSO group should be taken to the court for crimes against democracy and humanity. In the name of tracking terrorist organisations, the company is involved in unethical work. Terrorists would not use smartphones or use permanent mobile phones. They would probably use satellite phones or highly encrypted phones for communication.
Is there no escape from attacks by the Pegasus spyware?
Currently, it looks like there is no escape. Well, some protection from Pegasus' attack can be achieved by using 'non-smart' phones or primitive phones because it is tough to inject malware on such phones as they have limited storage capacity and run very few applications.
There is no information in the public domain about primitive phones being attacked by Pegasus. But one cannot be sure of anything in this case.
Will there be any end to such attacks?
I don't think so because Pegasus will keep updating its malware and methods by exploiting vulnerabilities of various applications. There could be a short-term solution but no long-term solution. Also, the 'market' and 'demand' for such spyware will keep companies like NSO in business, and encourage them to invest millions in developing newer versions of 'undetectable' spyware.