Peeling layers of Pegasus spyware reveals sophisticated modern-day snooping

The tool, developed by a little known Israeli firm, can snoop real-time activity on the smartphone and access camera and microphone on command

While the idea is not to paint a dystopian picture of a “Big Brother” watching you all the time, it is nevertheless prudent to acknowledge that even the technologies used by the likes of Facebook and Google are susceptible to data pilferage.

Government and rouge actors today have access to highly-sophisticated tools for mass and targeted surveillance, a threat that is intensifying as smartphones become the key device for almost all day-to-day tasks.

Discussion around privacy and surveillance has, yet again, entered mainstream discourse in the wake of WhatsApp, the world’s most popular chat app, admitting that the privacy of some its users was compromised through spyware Pegasus.

WhatsApp first disclosed the breach in May last year, when it said 1,400 people globally were affected, including 121 from India. It said a vulnerability in its voice call feature allowed the spyware to enter the target’s phone. Facebook, which owns WhatsApp, consequently sued Pegasus-issuer NSO Group.

The row has picked up afresh and activated government departments -- from the IT ministry to cyber-security wing CERT-IN — which say WhatsApp did not “adequately” disclose the breach, even as they figure out how and whom to hold responsible. Policy aside, a look into Pegasus and its workings shows the industry-standard of modern day snooping.

How Pegasus infects the devices

Pegasus is built by a little known Israeli firm, NSO Group, which came into the limelight in 2016, when it was discovered that the tool was used to target Saudi activist Ahmed Mansoor. Later, it was used on Mexican journalists and lawyers who were working on investigations involving corruption of the then President of that country. As of 2018, the tool has targeted people in 45 countries, according to research by Citizen Lab, a cyber-security group at University of Toronto, Canada.

The company claims Pegasus is offered only to “government and intelligence agencies”. By employing it, users (operators) “can remotely and covertly extract valuable intelligence from virtually any mobile device”, and review it over a dashboard interface from anywhere in the world.

Not only are the target’s passwords, sms and email inbox, call logs, current location and photos compromised, Pegasus is also capable of monitoring the target’s cellphone screen to show real-time activity, and access camera or microphone on command.

Here is how it works: A special “exploit link” is generated and sent to the target over a messaging service or email, disguised as a luring harmless hyperlink (a promotional offer, link to an interesting story or photo). Once the target clicks on it, an “agent” is installed on the phone, which penetrates security features and installs Pegasus without the user’s knowledge or permission. The malware then begins relaying the information back to the “operator” (the one that has initiated the Pegasus attack), and completes special commands.

Through the NSO Group keeps finer details under wraps, San Francisco-based digital rights group Electronic Frontier Foundation (EFF) recently posted a link to the Pegasus Product guide which gives some information on its working.

“Injecting and installing an agent on the device is the most sensitive and important phase of the intelligence operation conducted on the target device. Each installation has to be carefully planned to ensure it is successful… luring the target to open it. A single click, either planned or unintentional, on the link will result in hidden agent installation,” according to the leaked marketing deck.

“Possibly, there can be different ways through which Pegasus can infect your mobile phones and it’s not just limited to a malicious link or a malicious call to the users running vulnerable versions of WhatsApp app,” said Sanjay Katkar, co-founder and chief technology officer at anti-virus firm QuickHeal.

“Users should be always alert while clicking on links received through messages, emails or any social media platforms and should refrain from installing apps from third-party app stores,” added Katkar.

The WhatsApp case

In the case of WhatsApp, however, Pegasus is let onto the victim’s device through another method. According to WhatsApp’s lawsuit in a California court, operators were able to infest devices through a missed call over the WhatsApp call feature.

“Defendants set up various computer infrastructure, including WhatsApp accounts and remote servers” and then “used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices,” the lawsuit reads.

“Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings… Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.”

Having said that, zero-interaction spyware are rare, said Yaniv Balmas, head of cyber research, Check Point Software, a cybersecurity consultancy. “This particular WhatsApp security issue used by NSO is special in the sense that it is zero click and required (almost) no user interaction. Because of that, there is very little any user can do to keep him/her safe. However such zero click attacks are rare and most of the security issues today do require some sort of user interactions,” said Balmas

Is surveillance-state a reality?

The sophistication of Pegasus combined with its use over WhatsApp, world’s most used messaging app, lays bare the chilling possibilities of mass-scale snooping. Already, China is creating comprehensive cyber profiles for all its citizens, and penalising those who do not agree with the government’s policies or toe the line. Besides, there are readily available tools to monitor user’s comments and sentiment over social media.

For a couple of year, a tool called AASMA, has been in use for assessing social media sentiment. Developed by IIT-Delhi, AASMA can track the behaviour of Indians on social media platforms and deliver insights on the same. According to a report, it was used by over 40 government department up until last year.

This comes even as the Supreme Court, in August last year, advised the BJP government to shelve the proposed social media communication hub (SMCH). Under the plan it was intended to establish interconnected social media communication hubs across the country to create 360-degree profiling of those seen as influencing discourse. It was intended to give analytical inputs to the government.

These are only a handful of tools that have come to the fore, while a large section of modern surveillance apparatus continue to remain behind the curtain. While the future outlook is scary, to say the least, marginal comfort can be derived from the fact that with more and more conversations on digital rights and privacy taking place, prudent activism has ability to prevent any state-sponsored snooping from taking shape.