News

The Pegasus Project: what happened and how to protect yourself

More than 180 journalists were discovered in a database of phone numbers designated for potential espionage, thanks to a leak of documents given to the Forbidden Stories journalistic collective and Amnesty International. The choice of targets for surveillance was made by clients of the Israeli company NSO Group, which specialises in the production of spyware that it sells to governments around the world. Its primary product, Pegasus, can compromise a mobile phone, extract all data from it and activate the microphone to record conversations.

In addition to journalists, among the 50,000 people suspected of being targeted by state structures from around the world, there were activists, academics and even top public officials.

Targeted surveillance

Pegasus enables targeted compromitation of mobile phones, by hacking through malicious links or technical vulnerabilities in popular applications. In that way, it is possible to target a predetermined person and confidential information stored on their phone – correspondence with journalistic sources, business and state secrets, information on political plans and actions and the like.

Spyware

Spyware is a type of malware that collects data from an infected system and passes it on, usually to the person who created it. With such malware, passwords, personal data, correspondence, etc. can be collected without authorisation.

Pegasus

Use of software for iOS was discovered in 2016, but is believed to have been in use since 2013. Although NSO Group claims that Pegasus is intended to fight terrorism and international crime, human rights organisations have identified the use of software in authoritarian regimes against civic activists and dissidents, including the assassinated Saudi journalist Jamal Khashoggi.

Who is using it

Among NSO Group customers are primarily state bodies authorised for conducting surveillance and interception of communications: intelligence and security agencies, police services and the military. Although information on 40 unnamed buyer countries is currently available, the Pegasus Project findings indicate that the spyware was used in Hungary, Azerbaijan, Bahrain, Mexico, Morocco, Saudi Arabia, Kazakhstan, Rwanda, India and the United Arab Emirates.

How it infects the device

The software is intended for devices running the Android operating system, as well as some iOS versions, and exploits several different flaws in the system. Infection vectors include link opening, photo apps, the Apple Music app and iMessage, while some require no interaction to run the software (zero-click).

What can it access

With Pegasus, attackers can reportedly gain access to virtually all data stored in the target’s smartphone, such as contents of SMS correspondence, emails and chat apps, photos, videos, address book, calendar data or GPS data. There are also options for remotely activating the phone’s microphone and camera and recording calls.

What can I do

Related content

Cellebrite halts use of its forensic tool in Serbia

UPDATE 28 February 2025: Amnesty International’s Security Lab found one more case of abuse of Cellebrite’s tool on a phone of a student activist, who was held on 25 December after attempting to attend the SNS rally in Sava centar. More information and technical findings available at: https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/ The digital forensics tool is withdrawn from […]

Open Letter: Facebook’s End-to-End Encryption Plans

4 October 2019 Dear Mr. Zuckerberg, The organizations below write today to encourage you, in no uncertain terms, to continue increasing the end-to-end security across Facebook’s messaging services. We have seen requests from the United States, United Kingdom, and Australian governments asking you to suspend these plans “until [Facebook] can guarantee the added privacy does not reduce […]

EU proposal of the AI regulation adopted

Late into the night on Friday, December 8, the lengthy negotiations on the final version of the EU artificial intelligence regulation (AI Act) were concluded, with the first of a dozen technical meetings expected this week to specify the details of the law’s implementation. According to initial reactions, the adopted solutions did not fully meet the expectations of […]