Explainer: What is Pegasus? How does it work and how to protect your phones

New Delhi: A global investigation by 16 media organizations had revealed the scandalous mass surveillance by the Israeli company NSO Group’s spy software Pegasus, using which at least 300 people are believed to have been targetted, including two serving ministers in the Narendra Modi government, three Opposition leaders, one constitutional authority, several journalists and business persons.

The entire incident took the news and governments by storm, raising some questions on how did it happen? Did we already see this coming and most importantly the involvement of people in this.

But Pegasus has been under the scanner, over its surveillance activities, for a while now. 

In September 2018, The Citizen Lab, a Canadian cybersecurity organization, published a comprehensive report identifying 45 countries, including India, in which the spyware was being used.

Then in October 2019, WhatsApp revealed that journalists and human rights activists in India had been targets of surveillance by operators using Pegasus.

But apart from these, there have been questions that are now being frequently asked about the software.

What is Pegasus?

Pegasus is a type of malicious software or malware classified as spyware. It has been developed by the Israeli firm NSO Group that was set up on 25 January 2010.

According to an Amnesty International report, the first name initials of the founders form the acronym ‘NSO’. The founders are Niv Carmi, Shalev Hulio, and Omri Lavie.

The Amnesty report citing Hulio says NSO’s goal was “to develop technology that would provide law enforcement and intelligence agencies with direct remote access to mobile phones and their content – a workaround to the increasingly widespread use of encryption in the digital environment”.

Spyware such as Pegasus is designed to gain access to your device, without your knowledge, and gather personal information and relay it back to whoever it is that is using the software to spy on you.

According to this report, Pegasus is “the ultimate spyware for iOS and Android”, and has been behind the “most sophisticated attack ever seen”

Spyware can be relatively simple, taking advantage of well-known security weaknesses to hack into poorly defended devices. But some of it is very sophisticated, relying on unpatched software flaws that can allow someone to pry into even the latest smartphones with advanced security measures.

The company NSO group, however, claims to sell it to only ‘vetted governments’ worldwide.

How does it work?

To give a basic understanding, Pegasus can infect devices that are connected to the internet and according to some experts, it can affect phones without the users clicking on random links or messages.

A hacker would typically try to infect a victim’s device with Pegasus using a phishing link, mostly sent via a text message that looks innocent and benign. 

Clicking on the phishing link would (without the victim’s knowledge) start the download of Pegasus on the device and set up a connection with a hacker’s command computer that could be thousands of miles away. 

The hacker can then communicate with the Pegasus spyware via the remote command center and issue directions for what information the spyware should send back to the hacker’s server.

According to The Citizen Lab, in this way, Pegasus can be used to gather a vast amount of victim information: “Passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.”

According to this report, “Pegasus could even listen to encrypted audio streams and read encrypted messages”.

Then there are the other aspects that make Pegasus an extremely sophisticated software.

A worrying aspect that has been revealed is the ability of the spyware to infect a device by a ‘zero-click attack, which does not require any action from the phone’s user. This is an upgrade from earlier spear-phishing methods using text links or messages.

Can our phones be protected against this?

There is little meaningful legal protection against being targeted by spyware in most of the world. NSO says Pegasus cannot be used on numbers inside the United States, Israel’s most important ally.

The United States has some legal restrictions on spyware, including the federal Computer Fraud and Abuse Act, which was enacted in 1986 and bans “unauthorized access” of a computer or phone, but its vague language has meant that it’s often unevenly applied in court.

Some states have passed cybersecurity and privacy laws, such as California’s Comprehensive Computer Data Access and Fraud Act, which bans electronic tampering or interference. WhatsApp has cited both laws in an ongoing court case against NSO.

However, you can follow some rules to make sure none of your personal data is leaked. Firstly, you should ensure that your smartphone is up to date. You should also avoid sideloading third-party apps or installing apps by lesser-known developers. Lastly, you should avoid doing any confidential work on your smartphone at least until this spyware gets a complete fix.