In the world of cybersecurity and nation-state surveillance, the name Pegasus isn’t new. For those who are less familiar, Pegasus is mobile spyware that Israel-based NSO Group built. It previously made headlines when it was found on the mobile phone of Jamal Kashoggi and other journalists and activists who spoke out against their government. The spyware can be purchased from NSO Group, often for a seven or eight-figure price. It is then deployed via heavily targeted social engineering that convinces the victim to tap a link that deploys the spyware on their iOS device. Since it was first discovered by a collaborative effort between Lookout and Citizen Lab in 2016, Pegasus remains the most sophisticated, targeted and persistent mobile threat ever found on iOS.
Today, the spyware has seen some serious upgrades to its capabilities and can now deploy its surveillance malware via a zero-click payload. This means the user requires no interaction to install the spyware on their device — regardless of iOS and Android. This can give the threat actor the ability to completely control the device and begin extracting sensitive data, including GPS coordinates, emails, pictures, recordings and messages — even those supposed to be encrypted. Furthermore, the spyware can turn the device into a recording tool to eavesdrop on private conversations or video record the user without their knowledge.
NSO Group maintains that they only sell their spyware to the intelligence communities in about 40 countries. They also claim that before selling it, they vet the nation’s government to be certain they’re not guilty of any human rights violations. However, recent reports exposed a list of about 50,000 mobile phone numbers from NSO that shows business executives, human rights activists, journalists, academics and government officials across regions known to engage in surveillance that could have been targeted with the spyware.
The discoveries surrounding the use of the Pegasus mobile spyware should act as a catalyst for action within the cybersecurity industry. This is clearly no longer a case of cyber espionage at the nation-state level. Instead, individuals across all types of politics and business could be at the crosshairs of this spyware, and there needs to be proactive action against Pegasus and other spyware.
The price tag of Pegasus makes it an expensive but viable option for nation-states to conduct surveillance on anyone of their choosing, and the mobile landscape has proven to be a viable location for cybercrime to take place. Over the past 18 months, there has been a 125% rise in phishing attacks, while malware and app risk exposures have risen by more than 400%. The stats are shocking, but their growth has been exacerbated due to the pandemic as most people are more actively using their personal devices from home, particularly for work purposes. Hackers are well aware of this fact and have been specifically targeting mobile devices.
Greater Collaboration Needed
So, where do we go from here? If we analyze the latest Pegasus spyware reports and industry commentary, it’s clear that there’s work to be done to improve security and privacy. Technology giants Microsoft, Google and Cisco have made considerable strides to be more collaborative and transparent when tackling such security threats as greater calls for a more “secured internet” gain movement. However, for devices like mobile phones, which are highly personal, further steps need to be taken that go beyond standard checks to safeguard them from spyware.
How to Protect Yourself
Those seeking information on how to protect themselves from Pegasus or other mobile threats must first understand that it is typically delivered like other traditional malware via a phishing link through social engineering techniques. While Pegasus has a zero-click activation protocol, it still needs to reach the host device, and this can be achieved through many avenues such as SMS, social media, email, gaming or even dating apps.
Given the various attack vectors on mobile devices, individuals and organizations need to deploy dedicated mobile security. It is common practice to have security on PCs, so why should our phones be exempt? From phishing to malware, network and device-based attacks, mobile devices are targeted by threats daily. There are non-intrusive mobile security solutions available that actively protect against these threats while securing the users’ privacy and the devices’ sensitive information. In addition, having the ability to scan a URL or securely verify an application can bring much-needed peace of mind.
Cyber-criminals show no remorse and will continue to discover more nefarious methods to deploy their attacks, especially as more sensitive data flows through mobile endpoints to and from cloud services. Key business decision-makers must understand mobile devices are their own entity that cannot be secured using traditional methods. And while there are solutions available to individuals to protect themselves from attacks like Pegasus, hopefully, we will see further collaboration within the technology sector to improve security and privacy for us all.
Burak Agca security engineer, Lookout