Pegasus spyware which targeted at least 40 India journalists, has now evolved from its earlier methods of infecting phones by spear-phishing to ‘zero-click’ attacks– a sophisticated method that provides access to the target smartphone in real time.
A report by The Wire, on Sunday, 19 July, late evening indicated that the numbers of top journalists from well-known media organisations like the Hindustan Times, India Today, Network18, The Hindu and The Indian Express, were hacked by the Israeli spyware.
The Quint in this article, decodes how Pegasus spyware evolved over the years and became the most powerful spyware which is now nearly impossible to detect.
What Are Zero-Click Attacks?
A zero-click attack is a remote cyber attack which does not require any interaction from the target to compromise it.
To put it simply, zero-click attacks can take place without the target clicking on a malicious website or an app.
Sourajeet Majumder, a cyber security expert, told The Quint that Pegasus spyware eliminates the need for human errors to compromise a device and instead relies on software or hardware flaws to gain complete access to a device.
How Do Zero-Click Attacks Work?
Typically, cyber attacks infect a target’s mobile device through some form of social engineering trick ie sending a malicious link to the target, which when clicked can make the mobile device vulnerable.
But such attempts can raise the victim’s suspicions and potentially provide a way to identify the perpetrator.
Therefore, Pegasus spyware has been specially designed to bypass the need of any social engineering tactics. These attacks gives threat actors the ability to take over a smartphone in real time without any interaction with the target.
Step-by-Step Methods Used by Attackers:
Threat actors look out for any vulnerability that can be exploited in application available on the target's phone
The attacker then crafts a special data, such as a hidden text message or image file, to inject code in the target's device to compromises the device
Upon successfully compromising the target's device, the message used to exploit the device is now self-destructed so that there is no trace of the spyware
"What's scary is that, this happens without any knowledge and interaction by the victim."Sourajeet Majumder, Cyber Security Researcher
Zero-Click Attack vs Spear Phishing Attack
It is important to note that there is a huge difference between the working of zero-click attacks and spear phishing attacks .
Zero-click attacks occur only when an attacker is able to takeover a device remotely after successfully exploiting vulnerabilities in the software and hardware of the phone.
To make this kind of attack successful, an attacker needs to exploit flaws in a device, whereas spear phishing is a social engineering attack where a hacker sends a fraudulent message which is designed to trick a victim into revealing confidential information or to infect their device with a malicious software.
Majumder notes that vulnerabilities that can be exploited for zero-click attacks are rare and requires a lot of skills. But these attacks guarantee almost 100 percent success to threat actors because they don't require tricking targets into taking any action.
On the other hand, spear phishing attacks are very easy and are often performed but adds uncertainty in any hacking scheme.
Which Device is Safer: Apple or Android?
Apple’s iOS is a closed system and it does not release its source code to app developers, which means that the owners can't modify the code on their phones themselves. This makes it difficult for hackers to find vulnerabilities on iOS-powered devices.
On the other hand, Android relies on an open-source code, meaning that the owners and manufactures of these devices can tinker with the OS which creates weakness in their devices’ security.
"Apple devices are generally considered more secure, but it should be noted that it is not impossible for cybercriminals to attack iPhones or iPads. The owners of both Android and iOS devices need to be aware of possible malware and viruses, and should be careful while clicking on any links or downloading any untrusted applications," adds Majumder.
Pegasus: Evolution Over The Years
Pegasus was first detected in 2016 and used spear phishing methods to infect a smartphone
But, after three years, in 2019, WhatsApp blamed Pegasus for infecting more than 1,400 phones through a simple WhatsApp missed call. This was done using zero-click vulnerability
Repots suggest that NSO Group is using servers managed by cloud-computing providers like Amazon Web Services to deliver Pegasus to phones
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)