Exclusive
Status: 07/18/2021 6:01 p.m.
The software “Pegasus” from the Israeli company NSO is one of the most powerful surveillance tools in the world. The program can be secretly installed on cell phones without the victim knowing anything about it.
By Christian Baars, Florian Flade and Georg Mascolo,
NDR / WDR
The name “Pegasus” was chosen because the software is a Trojan horse, namely one with wings that flies directly to the cell phone – Shalev Hulio, head of the Israeli company NSO, once said in an interview. No physical access to the device is necessary. The espionage program can be installed remotely, secretly, without the target person being aware of it – and even without the victim having to do anything.
“Avoid unnecessary risks: you do not have to be near the target or the device at any time,” said NSO’s brochure a few years ago. The winged Trojan horse “Pegasus” is the company’s best seller. Use worldwide Secret services and police authorities use the program to comprehensively and unnoticed spy on target persons.
If the attackers managed to play “Pegasus” on someone else’s cell phone, they have complete control over the device. You can copy all the data from your mobile phone or, for example, secretly activate the microphone or camera and even read encrypted messages. A major reason for the popularity of the controversial software is likely to be the fact that “Pegasus” can be applied comparatively easily to the cell phone and this can hardly be prevented.
“There is no effective way for a user to counter this type of attack,” said Amnesty International IT security expert Claudio Guarnieri. NSO offers its customers various ways in which cell phones can be infected by target persons – depending on the device type or operating system, they can be more or less complex.
With and without a click
The “classic” method by which “Pegasus” gets onto a cell phone works with the help of a bogus message. The target person is tricked into clicking a link or a file and thus unknowingly starts the download themselves, for example via a text message or an e-mail. As soon as you click on it, the Trojan installs itself. For this purpose, NSO provides a kind of construction kit for its customers, with which bogus e-mails or text messages can be designed as realistically and plausibly as possible.
The NSO company has, however, found another, frightening way in which “Pegasus” can be installed unnoticed on a mobile phone – a way against which the victims are completely defenseless. There is no more need to click. The cell phone just needs to be switched on and connected to the network. The attacker sends a message that is not displayed on the cell phone. It makes the device load and install the spy software.
Amnesty International security experts found traces of the “Pegasus” software on several iPhones, some of which were up-to-date. According to their analysis, the spy program can be installed remotely using the internet-based iMessage service. The NSO customers only need to enter the target person’s phone number. The smartphone then automatically receives data downloaded from the Internet. In this case it is the “Pegasus” trojan.
Software vulnerabilities exploited
Amnesty International’s security experts have not been able to verify whether this method works in a similar way on Android devices. The organization has made Apple aware of the vulnerability. The company itself announced on request that this type of attack would not threaten the overwhelming majority of users. Of course, she works continuously to ensure the safety of all customers.
However, one thing is clear: Hackers around the world are constantly trying to find new holes in the systems – and sometimes sell them for a lot of money to secret services or companies such as NSO. The manufacturers of the devices usually lag behind in this race.
IT researchers from Citizen Lab at the University of Toronto looked at how previous versions of “Pegasus” worked. They discovered that the program exploits a chain of software vulnerabilities, so-called exploits, in operating systems such as iOS or Android. These included vulnerabilities that were particularly useful for hackers, so-called “zero-day exploits”. These are security gaps that can be exploited for attacks almost immediately before the manufacturer has taken countermeasures. In some cases, the NSO Trojan is said to have used three such “zero days” in succession to gain access to a telephone.
Over the network
Another way of infecting devices with the “Pegasus” Trojan is via a WLAN network or the local cellular network. To do this, the cell phone has to log into a manipulated transmission mast or router. The company NSO sells devices that pretend to be a cell phone mast – so-called IMSI catchers. Your signal is stronger than that of all surrounding masts, so that the cell phone connects to it. The attacker switches between the mobile phone and a real transmission mast, so to speak. When the user then calls up a website – such as the Google site – the data stream is redirected to NSO’s servers in a split second, and the monitoring software is uploaded to the cell phone via the network.
Once installed on the mobile phone, “Pegasus” can not only carry out surveillance measures or search through the stored data. The software is apparently also able to suppress important security updates from the manufacturer, with which, for example, weak points in the operating system could be closed. In this way, the Trojan ensures that it can function on the cell phone for a long time.
The manufacturer states that it only sells its technology to verified government agencies. And exclusively for the purpose of fighting terrorism and crime. For this, the software is used “every day” worldwide, as NSO reports, they are on a “life-saving mission”.
Hannes Munzinger contributed to the research for this text.