Skip to main content

Pegasus: A spy that won’t wait; will die before it is exposed

 

The NSO Group categorises the snooping into three levels: initial data extraction, passive monitoring, and active collection.



Zero-click installation that requires no action by the target is not the only ability that makes Pegasus the super spyware it is. What also makes it unique is the capability of “active collection”, which gives attackers the power to “control the information” they want to collect from the targeted device.

This set of features, says a marketing pitch of the Israeli company NSO Group that developed Pegasus, are called “active as they carry their collection upon explicit request of the operator”, and “differentiates Pegasus from any other intelligence collection solution”, that is, spyware.

“Instead of just waiting for information to arrive, hoping this is the information you were looking for, the operator actively retrieves important information from the device, getting the exact information he was looking for,” the NSO pitch says.

‘Active’ data extraction

The NSO Group categorises the snooping into three levels: initial data extraction, passive monitoring, and active collection.

Unlike other spyware that provide only future monitoring of partial communications, says NSO, Pegasus allows the extraction of all existing, including historical, data on the device for “building a comprehensive and accurate intelligence picture.” The initial extraction sends SMS records, contacts, call history (log), emails, messages, and browsing history to the command and control server.

While Pegasus monitors and retrieves new data real-time — or periodically if configured to do so — from an infected device, it also makes available a whole set of active collection features that allow an attacker to take real-time actions on the target, and retrieve unique information from the device and the surrounding area in its location.

Such active extractions include:

  • GPS-based location tracking: If GPS is disabled by a target, Pegasus enables it for sampling and immediately turns it off. If no GPS signal is accessible, Cell-ID is retrieved.
  • Environmental sound recording: Pegasus ascertains if the phone is in idle mode before turning on the microphone through an incoming silent call. Any action by the target that turns on the phone screen results in immediate call hang-up and terminates recording.
  • Photo taking: Both front and rear cameras can be used after Pegasus ascertains that the phone is in idle mode. The quality of the photo can be pre-determined by an attacker to reduce data use and ensure faster transmission. NSO cautions that since the flash is never used and the phone might be in motion or in a low-lit room, photos can at times be out of focus.
  • Rules and alerts: A number of conditions can be pre-set for real-time action, such as geo-fencing alerts (target enters or exits a defined location), meeting alerts (when two devices share the same location), connection alert (a call or message sent or received to/from a specific number), and content alert (a specific word used in a message), etc.

Invisible transmission

The transmitted data is encrypted with symmetric encryption AES 128-bit. Even while encrypting, says NSO, extra care is taken to ensure that Pegasus uses minimal data, battery, and memory to make sure that the target does not get suspicious.

This is the reason why Wi-Fi connections are preferred for transmitting the collected data. NSO says it has put “extra thought into compression methods and focusing on textual content transmission whenever possible” to minimise data footprints to only a few hundred bytes and to ensure minimal impact on the target’s cellular data plan.

Data transmission stops automatically when the battery level is low, or when the target is roaming. When transmission is not possible, Pegasus stores the collected data in a hidden and encrypted buffer which is set to reach no more than 5 per cent of the free space available on the device. Under rare circumstances when no transmission is possible through safe channels, an attacker can collect urgent data through text messages but this, warns NSO, may incur costs that appear on the target’s phone bill.

The communication between Pegasus and the central servers takes place through the Pegasus Anonymizing Transmission Network (PATN), which makes tracing back to the origin “non-feasible”. The PATN nodes, says NSO, are spread across the world, redirecting Pegasus connections through different paths prior to reaching the Pegasus servers.

Self-destruct function

Pegasus comes complete with an efficient self-destruct mechanism. In general, says NSO, “we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.” Any risk of exposure automatically activates the self-destruct mechanism, which also comes into effect if Pegasus does not communicate with its server from an infected device for 60 days or a customised period of time.

There is a third scenario in which the self-destruct mechanism is activated. From the day it released Pegasus, the NSO Group has not allowed Pegasus to infect American phone numbers. The company does not even allow infected phones to travel to the United States. The moment a victim enters the US, Pegasus in her device goes into self-destruct mode.

Bare essentials

All that is required to run Pegasus are operator terminals (standard desktop PCs) with the following specifications:

  • Core i5 processor
  • 3GB RAM
  • 320 GB hard drive
  • Windows OS

For system hardware:

  • Two units of 42U cabinet
  • Networking hardware
  • 10TB storage
  • 5 standard servers
  • UPS
  • Cellular modems and SIM cards
 

Comments

Post a Comment

Popular posts from this blog

Top 20 Tools for Ethical hacking in 2020

What are Hacking Tools? Hacking Tools are computer programs and scripts that help you find and exploit weaknesses in computer systems, web applications, servers and networks. There is a variety of such tools available on the market. Some of them are open source while others are commercial solution. In this list we highlight the top 20 tools for Ethical Hacking of web applications, servers and networks 1)  Netsparker Netsparker  is an easy to use web application security scanner that can automatically find SQL Injection, XSS and other vulnerabilities in your web applications and web services. It is available as on-premises and SAAS solution. Features Dead accurate vulnerability detection with the unique Proof-Based Scanning Technology. Minimal configuration required. Scanner automatically detects URL rewrite rules, custom 404 error pages. REST API for seamless integration with the SDLC, bug tracking systems etc. Fully scalable solution. Scan 1,000 web applications in just
Post a Comment
Read more

CompTIA Certification Guide: Career Paths & Study Material

CompTIA Certification Guide: Career Paths & Study Material What is CompTIA Certification? CompTIA certifications  course are considered one of the most trusted credentials in the IT industry as it accurately reflects employee success. CompTIA engages international focus groups and IT leaders from around the world that define various certification programs and helps you to create CompTIA certification exams. How to start a career with CompTIA certifications? If you are looking to start an IT career with a renowned certification, which has global recognition and ready-for acceptance by the employers, then CompTIA certification is the best way to start. This certification helps you to build critical thinking and problem-solving abilities, which is imperative in the modern enterprise network. The certification programs come in easy-to-learn ways to suit your time and convenience. You could take up a self-study or instruction-based learning. It is also meant for student
Post a Comment
Read more

Learn ARP Poisoning with Examples

Learn ARP Poisoning with Examples What is IP and MAC Addresses IP Address is the acronym for Internet Protocol address.  An internet protocol address is used to uniquely identify a computer or device such as printers, storage disks on a computer network. There are currently two versions of IP addresses. IPv4 uses 32-bit numbers. Due to the massive growth of the internet, IPv6 has been developed, and it uses 128-bit numbers. IPv4 addresses are formatted in four groups of numbers separated by dots. The minimum number is 0, and the maximum number is 255. An example of an IPv4 address looks like this; 127.0.0.1 IPv6 addresses are formatted in groups of six numbers separated by full colons. The group numbers are written as 4 hexadecimal digits. An example of an IPv6 address looks like this; 2001:0db8:85a3:0000:0000:8a2e:0370:7334 In order to simplify the representation of the IP addresses in text format, leading zeros are omitted, and the group of zeros is completed o
Post a Comment
Read more