What is Pegasus; Cyber espionage by governments has once again hit the headlines after the Guardian newspaper and 16 other media outlets reported on the use of commercial malware by authoritarian regimes to target political activists, politicians and journalists. This powerful commercial malware is called Pegasus and is sold for millions of dollars by an Israeli company called NSO Group.
Pegasus, the most sophisticated malware discovered, enables features such as recording phone calls, copying messages and secretly filming the gadget owner and those around him.
What is Pegasus?
As we said, in very simple language, Pegasus is commercial spy software. Unlike malware used by cybercriminals to make money through theft and the like, Pegasus is designed for espionage only. When this tool can penetrate an Android phone or iPhone, the gadget becomes a complete eavesdropping tool.
Text messages, emails, WhatsApp messages, etc. can be easily read and copied with this tool. With this tool, it is even possible to record phone calls and steal photos from the phone. It can also secretly turn on the phone’s microphone and camera. When you combine these with the potential to access past and present spatial data, it is clear that the other party can access almost all of the victim’s desired information.
The first versions of Pegasus date back to 2016, so this is not a completely new tool. However, its capabilities and complexities have increased significantly from the early days. But not everyone can easily buy the tool, and NSO Group provides it to governments for millions of dollars.
Fortunately, this means that such a tool is probably not in the hands of cybercriminals or terrorist groups. Although the company says the tool helps governments prevent terrorism and crime, some governments use Pegasus to target journalists, business executives, religious leaders and union officials. Among these countries we can mention Hungary, Mexico, Saudi Arabia, India and the United Arab Emirates.
NSO Group says it provides services to more than 40 countries, but says it takes countries’ human rights record into account. The company also claims that Pegasus cannot be used for spying in the United States, and that none of its customers have received spy technology from phones based on American numbers.
Zero Day Vulnerabilities
All software has problems known as bugs. Also, the more complex the software, the higher the number of bugs. Most bugs are just annoying. For example, part of the user interface does not work as expected. Or, for example, a feature that does not work properly under certain conditions. You can find bugs in games, operating systems, Android and iOS applications, Windows and Mac applications, Linux and basically all software environments.
Unfortunately, using open source software is not a guarantee of a bug-free experience. Sometimes these projects are full of various bugs because most of the time the main part of the development of these projects is done by a small group (or even one person). For example, three security bugs were recently discovered in the Linux kernel that had been around for 15 years.
In the meantime, these are the security bugs that can cause a lot of problems. If the user encounters a problem, it will be fixed sooner or later, and this is not a problem. But when a bug compromises system security, the situation becomes more serious. Such bugs are so serious that companies such as Google, Apple, Amazon and Microsoft pay significant sums as a reward for their discovery. For example, Google paid $ 6.7 million for this project in 2020.
While tech giants spend millions of dollars fighting these security bugs, there are still many unknown vulnerabilities in Android, iOS, Windows, macOS and Linux code. Some of these vulnerabilities are known as zero day vulnerabilities; This means that such holes are known to third parties, but the responsible company has not yet been able to detect them. This is why it is called day zero because the company has 0 days to solve the problem.
Finding zero-day vulnerabilities is by no means an easy task, and exploiting them makes it even harder. However, such a thing is possible. NSO Group has a team of experts who look into all the details of operating systems such as Android and iOS to find any vulnerabilities. Then, using these vulnerabilities, they create tools to bypass the security system of the desired gadget.
The ultimate goal of exploiting the zero day vulnerability is to gain complete control over the various gadgets. Once effective security holes are discovered, Pegasus can change things like system apps, change settings, and even activate various sensors without the user’s permission.
To exploit such vulnerabilities, a smart attack usually has to be designed first. For example, for these types of attacks, links are often sent via SMS or WhatsApp. Clicking the link will load the initial program. The task of this program is also to exploit the zero day vulnerability in the phone or gadget.
Unfortunately, some vulnerabilities can be exploited without the need to interact with the victim. For example, in 2019, Pegasus could be installed on the other party’s iPhone using the iMessage and Facetime bugs just by making a phone call to the victim.
One way to estimate the number of day zero vulnerabilities is to look at the vulnerability statistics found. In 2020, Google announced that 859 Android vulnerabilities had been discovered, and in the same year, the number of iOS vulnerabilities reached 304. However, out of these 140 vulnerabilities in iOS allowed the execution of unauthorized codes, the number of such vulnerabilities in Android was 97 cases. All in all, as you can see, Android and iOS are not vulnerable to zero-day vulnerabilities.
How to prevent spyware from infiltrating?
If you’re really worried about this, tools like Pegasus will not be able to monitor your activities without a smartphone. A more practical solution is to not take your phone with you when attending sensitive meetings. Also, like Edward Snowden, you can block the phone’s camera, although these spyware can use a microphone to eavesdrop on your business.
All in all, if you think your activities are very important to a government and you also insist on using a smartphone, then thanks to tools like Pegasus, you can do little to combat this espionage. But in general, it is better to always install the latest updates for your phone.
Apple, which regularly releases new updates for iOS, and for Android, it is better to choose a brand that has a lot of speed in this regard. If you have any doubts about different brands, we must say that Google phones play the leading role in this regard. On the other hand, we emphasize and never click on the link sent to you unless you are 100% sure that the link is real and safe. Even if you have a little doubt about the link, do not click on it.
We must also say that if you use an iPhone, do not think that you are immune to these attacks. As we said, Pegasus also targets the iPhone, and in 2019, for example, it could hack into the victims’ iPhones without having to send any links.
Finally, always be vigilant but keep your cool. You may say to yourself that you have nothing to hide, but does any of your friends or family members have access to important information? Journalists, business executives, academics and union officials are finally dealing with a lot of people. Therefore, it is better to be careful and reduce the possibility of spying on yourself and those around you by observing security tips.
