There are many different kinds of malware, and it is vital to protect yourself against them whenever possible. The internet is filled with hackers who spread viruses, worms, adware, rootkits, ransomware, spyware, and the list goes on.
To make things worse, governments also use malicious programs to target individuals and hack their devices. As a result, everyone should take online privacy and device security seriously if they want to protect their data.
In this guide, we have taken an in-depth look at Pegasus malware. We will explain what kind of infection it is, who it victimizes, how to avoid infections, and what it could mean if your device is targeted.
What is Pegasus malware?
Pegasus is a class of malware known as spyware. Spyware is so-called because it is used to spy on and steal private data from the devices it targets. There are hundreds of spyware programs currently in circulation in the wild, and they vary in their level of hazardousness.
Pegasus spyware is well-known because it is the most technically sophisticated and dangerous form of spyware ever created. The Pegasus spyware is named after the winged horse from Greek mythology, and it is a type of spyware known as a Trojan.
The high-tech malware was created by an Israeli spy-tech company called NSO Group. Since it was developed, the proprietary spyware has been sold to countless governments around the world for the supposed purpose of protecting national security and preventing terrorism.
NSO isn’t eager to reveal its client-base, but more than 40 countries are estimated to have had access to Pegasus. NSO Group’s General Counsel, Chaim Gelfand, told the European Parliament that at least five EU countries had used the company’s software.
Pegasus has been used maliciously to perform illegal surveillance and has been attributed to human rights violations on numerous occasions. NSO says it only sells Pegasus to legitimate military, law enforcement, and intelligence agencies for purposes of national security. It claims that it rigorously vets its customers’ human rights records before letting them use its spy tools.
However, the company also admits that it “does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers’ targets”. This means that it is impossible for NSO to guarantee that its customers aren’t using Pegasus for nefarious purposes.
What can Pegasus spyware do?
Pegasus spyware is a “zero-click” mobile surveillance program. It can attack devices without any interaction from the individual who is targeted.
It was designed to target mobile devices running iOS and Android devices, and once installed it can secretly harvest information from those devices. The program is known for its high level of sophistication and is capable of pervasive espionage and data collection.
This includes reading text messages and emails, tracking calls, monitoring app usage, harvesting passwords, accessing personal files (including photos and anything else in local storage), location tracking, and remote access to the device’s microphone and camera.
Who is targeted with Pegasus malware?
The developer of Pegasus trojan, NSO Group, previously claimed that the software has only ever been used by governments to “investigate terrorism and crime.”
Unfortunately, this controversial spyware has also been exploited to place important political leaders, well-known journalists, human rights activists, and other civil society figures under surveillance.
According to a Forensic Methodology Report coordinated by Forbidden Stories in collaboration with Amnesty International, large numbers of human rights defenders, around 180 journalists working in over 20 countries around the world, 14 heads of state including French President Emmanuel Macron, and a princess from Dubai were all targeted.
Known associates of Jamal Khashoggi — a journalist critical of the Saudi government who was murdered in a Saudi embassy in Turkey in 2018 — were found to have had Pegasus on their phones.
Amnesty International has identified that the spyware was previously used to engage in “widespread, persistent and ongoing unlawful surveillance and human rights abuses”.
That said, it is worth noting that this particular spyware is normally deployed to spy on high-profile targets. Each Pegasus license is prohibitively expensive, which means that the average consumer is unlikely to be targeted.
If you’re a politician (or a political aide), a well-known journalist, human rights activist, a political dissenter, or some other person of interest – it is plausible that you could potentially be targeted.
How does Pegasus spyware work?
When it was first developed, Pegasus relied on phishing as the primary route to infection. This required the victim to open a message to accept a malicious download or follow a link to a website designed to deploy the malware onto the victim’s device.
In 2016, for example, human rights defender Ahmed Mansoor was sent a text message that promised to provide “secrets” about torture happening in UAE prisons if he followed a link. Mansoor swiftly sent the message to Citizen Lab of the University of Toronto, which discovered that if Mansoor had followed the link it would have jailbroken his iPhone and infected him with Pegasus.
Since then, the sophisticated malware has been upgraded to allow for a zero-click infection vector. This means that it can be disseminated and infect targeted phones without the victim having to open a message, follow a link, or do anything else.
Once successfully planted on a target’s Android or iOS phone, it jailbreaks the device to provide root access. This gives Pegasus’ operator full access to all of the contents of the phone.
From there, a keylogger is installed to steal the victim’s credentials and passwords, giving the hacker full access to the victim’s personal accounts.
All of this data, including GPS location data that tracks the target’s movements, is then sent back to a Command and Control (CnC) server, where the hacker is able to access and exploit the data however they wish.
Can Pegasus spyware be detected?
Unlike most other types of malware, which often provide tell-tale signs of infection, Pegasus spyware is extremely hard to detect. It is highly unlikely you will notice or have reason to suspect that you have been infected with Pegasus – even if you are targeted.
The worst thing about Pegasus Spyware is that it can even be installed without the victim having to do anything. It is sometimes disseminated via malicious Whatsapp messages that automatically cause the victim’s mobile device to reach out to command servers controlled by the hacker. On other occasions, the malicious code was delivered to victims inside a photo, or in infected music files from Apple Music.
How to remove Pegasus malware
If you are concerned that you may have been infected with the Pegasus spyware, the good news is that there is a way to remove it. Amnesty International helped to develop a spyware removal tool for Pegasus that is freely available on Github.
It is called the Mobile Verification Toolkit (MVT), and it is “a tool to facilitate the consensual forensic analysis of Android and iOS devices, for the purpose of identifying traces of compromise.”
Using MVT is not easy and requires Python 3.6 or later to run. You will also need to use a computer running either Linux or macOS (running MVT on Windows is possible using Windows Subsystem Linux (WSL) but it is known to be a bit buggy).
In addition, you will need to install various dependencies – such as Android SDK Platform Tools if you are going to remove Pegasus from an Android device. The good news is that there are detailed instructions that explain what you need, how to install MVT, and how to use it to identify and remove Pegasus available here.
However, we urge you to remember that MVT was not designed for normal users. It is designed for use by technologists and investigators, and if you believe you have been infected with Pegasus, we advise you to reach out for expert advice.
How to avoid being infected with Spyware
As mentioned, Pegasus is a highly sophisticated type of spyware that can infect devices without the user needing to do anything (zero-click). That makes it hard for people to protect themselves. The good news is that you can still protect yourself against other, less rare, and less sophisticated types of spyware.
Below, we have provided tips that will help protect you against spyware:
- Never open links or download attachments contained in unknown or unsolicited messages.
- Only download files from trusted sources and avoid third-party app repositories or other dubious download sites.
- Never download anything from unknown or untrusted websites.
- Use real-time virus protection and be sure to enable malware scanning for email attachments.
- Keep your operating system, your antivirus, and the apps you use up to date.
- Schedule your antivirus to run regular scans.
What’s next for Pegasus?
In 2021, NSO was blacklisted by the US Department of Commerce. This prevent it from buying components from American companies without a special licence.
Apple is seeking a permanent injunction to ban NSO from using any Apple software, services, or devices. This, the company said in a statement announcing the lawsuit, is to “prevent further abuse and harm to its users.” The US Supreme Court has ruled that Meta’s WhatsApp is allowed to sue for damages ensued by the malicious installation of Pegasus spyware.
In the meantime, the battle against the nefarious spyware continues. In September 2023, Apple issued a critical security update for iPhones. This addressed a zero-day bug that could allow the zero-click remote installation of Pegasus. The bug was discovered by researchers at Citizen Lab, after a phone belonging to a staff member at a Washington-based civil society organisation was hacked.