Pegasus updated guide: How it infects phones, what it does, how to detect and get rid of it

There are fresh reports about Pegasus, the spyware that we first heard of in 2016. The reports, which detail how governments have used Pegasus across the world to spy on many journalists, activists, businessmen, politicians and others, indicate that Pegasus has evolved since its early days. Despite being a known commodity, it continues to have the capability to infect phones, including recent phones running updated software.

On Sunday evening, a number of websites, including the Washington Post and the Guardian, published a fresh set of reports based on research carried out by Amnesty International. The reports highlight that Pegasus remains in use and that over 10 countries, including India, are using this spyware to scoop data from the phones of thousands of people.

NSO Group has clarified that it sells Pegasus only to governments, while India has called the fresh reports "fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions."

The highly sophisticated spyware is meant to be a way to investigate terrorism and crime. At least that is what its maker, Israel-based cybersecurity firm NSO Group, claims. However, findings of collaborative research under the Pegasus Project seem to suggest otherwise.

The reports — all part of the Pegasus Project — present evidence that the spyware is used to conduct surveillance of numerous human rights defenders and journalists from around the world. The evidence was found through an in-depth forensic analysis of the phones infected with Pegasus.

The question, however, many readers may have is this: If you are using an iPhone or an Android, can Pegasus be used to monitor all your data?

The answer seems to be: Yes. And it is terrifying because earlier when Pegasus was found in 2016, Google, Apple, WhatsApp and others moved quickly to patch their software and devices against this spyware. However, it seems Pegasus too has evolved and even now it remains potent.

While its maker claims that the spyware "leaves no traces whatsoever," a new Forensic Methodology Report by Amnesty International's Security Lab shows forensic traces left by the spyware on iOS and Android devices.

The findings reveal much about how the spyware works, how it manages to sneak into a phone and to what extent it can be used. Consecutively the reports even tell us how it can be spotted on an infected device. Here is what we need to know.

How Pegasus infects phones?

Over the years, Pegasus has evolved in the way it operates and infects devices. The first version of the spyware was detected in 2016 and used spear-phishing to infect a smartphone. This means that it worked through a malicious link, usually sent to the target through a bogus text message or an email. The device became infected as soon as the link was clicked.

It now adopts a different and more sophisticated approach for reaching new targets. Shockingly, the new method does not require any input from the target user. It can infect a device by what is called a "zero-click" attack.

An example of this was seen earlier in 2019, when WhatsApp blamed Pegasus for infecting more than 1,400 phones through a simple WhatsApp call. Due to a zero-day vulnerability, the malicious Pegasus code could be installed on the phone, even if the target never answered the call.

While this was fixed by WhatsApp, which also filed a case against NSO Group in the US, Pegasus has now acquired different capabilities.

In the report on Sunday, the Guardian highlights the use of a similar zero-click Pegasus attack that exploits Apple's iMessage. The report explains that exploiting undiscovered security lapses in such widely used services helps Pegasus infect many devices easily.

The infections are apparently carried out by downloading malicious code from servers that NSO Group runs. The analysis by Amnesty International shows the links for downloading the bits of Pegasus are hidden in the contents of a message, or an image or the background data that apps often download on phones without requiring any inputs from users.

The fresh reports note that when the details of these servers become public, NSO Group shuts them down and creates new servers. In recent months, according to the reports, NSO Group is even using servers managed by cloud computing providers like Amazon Web Services to deliver Pegasus to phones.

What can Pegasus do?

Once a smartphone is infected by it, Pegasus can effectively monitor any activity you perform on it. This includes reading or copying your messages, extracting your media files, accessing your browser history, recording your calls and much more.

It can even turn the device into a surveillance tool by turning on its microphone to listen and record an ongoing conversation. Similarly, it can trigger the phone's camera to record a video at any point in time.

The spyware can even be used to extract the exact location of a device, or the history of its whereabouts. This means an infected smartphone will effectively give out the locations that its user has visited in the past or is currently at.

In 2017 researchers at anti-virus company Kaspersky wrote, "We're talking total surveillance. Pegasus is modular malware. After scanning the target's device, it installs the necessary modules to read the user's messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. It can spy on every aspect of the target's life. It's also noteworthy that Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording capabilities, it was stealing messages before they were encrypted (and, for incoming messages, after decryption)."

How is Pegasus detected on the phone?

Make no mistake that Pegasus is highly sophisticated spyware. This means that other than the intended spying purposes, it has been explicitly designed to avoid detection. So finding it on an infected device is no child's play.

In the earlier Pegasus attacks, the malicious link through the messages or emails were indicative enough of the spyware's presence. The consecutive practice of spyware-triggering WhatsApp calls was also identified as a threat later on.

The more sophisticated zero-click attacks these days have no such upfront indicators. Luckily, the new Forensic Methodology Report by Amnesty International sheds light on the traces that the spyware leaves.

The new security report highlights several domain redirections that have been spotted on infected devices. The initial ones were recorded in Safari's browsing history, but eventually, such suspicious redirects were found to take place in other apps as well. The report has published a total of 700 Pegasus-related domains that were discovered during the investigation.

Another method of spotting Pegasus, as described in the report, is through the iOS records of process executions "and their respective network usage" in two specific files. A suspicious process called "bh" was spotted in network usage databases of infected devices. This "bh" process was observed immediately following visits to Pegasus Installation domains.

Similar traces were found in almost all the vulnerabilities that Pegasus has exploited to date. The crux is that a regular smartphone user will never be able to detect these, while the spyware will continue to operate, leaking the user's data to the spyware user.

Amnesty has also decided to release the tools through which it detects Pegasus in public. Although, the tool is meant to be used by security researchers as it is not a simple app you can run on your phone or computer.

How to get rid of Pegasus?

Cybersecurity experts have indicated that a device infected by Pegasus might never be able to recover from it completely. Traces of the spyware might still be found, even after a hard factory reset of the device.

So the best option for victims of the spyware attack is to get rid of the infected device altogether. Users can check for all the indicators of a compromise through Amnesty International's GitHub. In addition, the organisation has also released a modular tool, called Mobile Verification Toolkit (MVT) for such an analysis. Anyone finding traces of Pegasus on their phones should switch to a new phone and change the passwords of the applications and services they used on it.