The Pegasus Project: what happened and how to protect yourself

More than 180 journalists were discovered in a database of phone numbers designated for potential espionage, thanks to a leak of documents given to the Forbidden Stories journalistic collective and Amnesty International. The choice of targets for surveillance was made by clients of the Israeli company NSO Group, which specialises in the production of spyware that it sells to governments around the world. Its primary product, Pegasus, can compromise a mobile phone, extract all data from it and activate the microphone to record conversations.

In addition to journalists, among the 50,000 people suspected of being targeted by state structures from around the world, there were activists, academics and even top public officials.

Targeted surveillance

Pegasus enables targeted compromitation of mobile phones, by hacking through malicious links or technical vulnerabilities in popular applications. In that way, it is possible to target a predetermined person and confidential information stored on their phone – correspondence with journalistic sources, business and state secrets, information on political plans and actions and the like.

Spyware

Spyware is a type of malware that collects data from an infected system and passes it on, usually to the person who created it. With such malware, passwords, personal data, correspondence, etc. can be collected without authorisation.

Pegasus

Use of software for iOS was discovered in 2016, but is believed to have been in use since 2013. Although NSO Group claims that Pegasus is intended to fight terrorism and international crime, human rights organisations have identified the use of software in authoritarian regimes against civic activists and dissidents, including the assassinated Saudi journalist Jamal Khashoggi.

Who is using it

Among NSO Group customers are primarily state bodies authorised for conducting surveillance and interception of communications: intelligence and security agencies, police services and the military. Although information on 40 unnamed buyer countries is currently available, the Pegasus Project findings indicate that the spyware was used in Hungary, Azerbaijan, Bahrain, Mexico, Morocco, Saudi Arabia, Kazakhstan, Rwanda, India and the United Arab Emirates.

How it infects the device

The software is intended for devices running the Android operating system, as well as some iOS versions, and exploits several different flaws in the system. Infection vectors include link opening, photo apps, the Apple Music app and iMessage, while some require no interaction to run the software (zero-click).

What can it access

With Pegasus, attackers can reportedly gain access to virtually all data stored in the target’s smartphone, such as contents of SMS correspondence, emails and chat apps, photos, videos, address book, calendar data or GPS data. There are also options for remotely activating the phone’s microphone and camera and recording calls.

What can I do