If you clicked on this post, it is because you want to understand what’s
going on with Pegasus, the world’s greatest cyber-hazard. And yes, the
situation is much more dangerous than you think.

Without a doubt, we are talking about something much more powerful than
the winged, immortal creature born from its mother blood, Medusa,
after being beheaded by Perseus. Unlike such a powerful mega-equine,
the software we’re talking about works almost undetectably. It has more
eyes than Gorgon’s head, more range than her son’s flight, and is more
ubiquitous than the constellation into which Zeus transformed the
beautiful winged horse.

With Pegasus, we have entered an era of espionage unprecedented in
human history. Today, each of us carries a potential spy in our pockets.
Yes, we had been warned for years about this possibility. Privacy
policies have been created to prevent those small
devices from becoming omniscient eyes and ears of our life. However, no
program capable of using all those functions against us had ever been
made public… at least not until Pegasus arrived.

In this post, we will not focus on the
political-international
discussion behind
Pegasus.
Nor will we focus on the ethical
considerations
behind the development and use of this type of software. There are much
more prepared
people
doing such dissertations.

What do we know about Pegasus?

Pegasus is the main
product
of NSO Group, which is an Israeli
surveillance company. According to Jon
Gerberg,
a Washington Post reporter, NSO is dedicated “to make malicious software
that governments use to target your smartphone and gather data out of
it, and they sell this to governments all over the world.” Peter
O’Brien,
from France24, characterizes Pegasus as “easily installed, almost
impossible to detect and even harder to get rid of.” In this sense,
there could be a point of comparison with
Lazarus. But differently from Lazarus
governmental engagement, NSO, as a private company, works for whoever
they choose and who has enough money to pay them. They are not
responsible for what
their clients do with the program they are selling.

Pegasus can infect almost every smartphone in the world (Android and
iOS) nearly without being noticed. BGR
India explains that it
became public in 2016 after the UAE human rights activist Ahmad Mansoor
sent a mysterious text message he got with a link to researchers. The
message alerted him about tortured prisoners in the country. He was
trying to verify the integrity of that information when the researchers
that examined that text told him it was a smishing
attack leading to malware. In fact, “after the investigation, it was
found out that the links were linked back to the infrastructure
belonging to the NSO
group.”

What is new with Pegasus?

Every spyware that allows remotely controlling a device must “enter” the
mobile phone somehow. From the time Pegasus was discovered in 2016 to
the present, the entry system into victims’ phones has varied, but their
functions are practically identical. At first, Pegasus was known as Q
Suite and
Trident,
and its entry mode to the system was through classic
phishing, smishing or
spoofing methods. However, they have perfectionated
their entry techniques and now it is almost perfect (better than
Specter’s nearly unmatched modus operandi, another cyber threat we
already talked about).

Pegasus’s entry mode is known as zero-click attack. It allows the
attacker to access the device using a technique that “relies on
exploiting software which receives data before the device can determine
if the data is coming from a trustworthy source or
not.” According to
ZecOps,
several Apple devices had a vulnerability in the Mail app that had not
been patched. Through it, attackers could remotely access to infect a
machine.
The vulnerability was fixed, but that hasn’t stopped attackers from
figuring out ways to remotely access devices. In Android, the attackers
were targeting “a vulnerability in the graphics library of the phone,
running version android 4.4.4 and
above.”

Other ways in which the zero-click attack can be performed are through
“security bug in voice calls made through apps like
WhatsApp.” If this weren’t
enough, the most sinister version of zero-click attacks removes all
traces of the entry attempt. Attackers can perform a miss call on the
victim, “once the software is installed, it would delete the call log
entry so that the user wouldn’t even know about them as
called.” This makes it a
perilous threat because it is not based on social engineering.
Attackers don’t have to wait for the victim to make a mistake. People
can handle their devices with the utmost care, and still, Pegasus can
get access to them.

What can Pegasus do?

When installed on a device, “the attacker can virtually control any
path of the phone.”
Controllers can check all the media stored on the device: photos,
videos, messages, emails, credentials, passwords, etc. They can track
the GPS to have a detailed minute-by-minute map about the user’s
location. They can access the calendar to see what plans have been
scheduled. And the most spine-chilling thing of all is that at any time,
they can turn on the microphone or camera to
record.
As long as a device is susceptible to being attacked by Pegasus, there
is no safe place.

All this occurs in such discreet, disguised and seemingly normal
circumstances that it is almost impossible to determine whether a device
has been infected with Pegasus. According to Peter
O’Brien:
“The phone wouldn’t show any sign of being infected besides the finest
traces of abnormal software processes.” As if all this were not enough,
even if a victim overcomes every obstacle to discover that she has been
affected by Pegasus, she cannot remove it from her system. It is not an
application. There is no software to restore the system to a pre-Pegasus
version. To top it off, ” the malware can stay even after a factory
reset.”

Now what?

So, what can we do to protect ourselves from such a threat?
Usually, I would give you advice such as “be careful not to open
suspicious links,” “if you see that there is something that should not
be on your cell phone, report it to the authorities immediately.”
However, none of these interim measures work with the all-mighty
Pegasus. It’s too powerful to be stopped by tricks of that nature.
Perhaps the only thing that could mitigate the opportunity for them to
enter your device is to have no device at all.

Don’t you think that’s good advice?
Okay then…​ Here’s a genuine recommendation: always keep your system
up to date. Just like what happened with the Mail vulnerability in iOS or
with that of the graphics card of Android systems, the related companies
were given the task of patch vulnerabilities spotted. That doesn’t
guarantee they won’t attack you, but it could minimize the risks.

We hope you have enjoyed this post!
At Fluid Attacks,
we boost your vulnerability management we look forward to hearing from you.
We specialize in Continuous Hacking.
To learn more about it,
contact us!

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Felipe Zárate. Read the original post at: https://fluidattacks.com/blog/pegasus-spyware-cyberthreat/