• November 15, 2021
• By Cyberarch Admin

In 2021, as mobile phones and the internet become necessities of life, individuals and businesses across the globe are heavily dependent on them to conduct financial transactions, storing sensitive data and communication. It has opened up myriad opportunities for cybercriminals and malicious actors to use sophisticated tools and technology to hack devices and use critical information for monetary gains and other purposes. 

For a long time now, mobile devices have been an easy target for threat actors to steal personal data or the intellectual property of corporations. The advanced applications and methods that include adware, SMS fraud, and Trojans are used to get inside devices without the knowledge of the victim. One such application is spyware, which is capable of extracting a wide range of information from mobile devices such as contact details, call recordings, SMS messages etc. Moreover, it can override your control and activate the microphone and camera to capture audio, video and images. Pegasus Spyware, which has recently gained worldwide attention, is one such spyware. 

Pegasus Spyware

Pegasus Spyware is surveillance or hacking software developed by an Israeli firm by the name NSO Group. Established in 2010, the NSO group is in the cyber offence and defence space, and it has been developing and selling mobile phone spyware to different governments globally. However, Pegasus spyware is touted as one of the most sophisticated software in the world, which can infect Android and iOS systems. 

If you are wondering why Pegasus Spyware is considered more dangerous than other spyware, there are a couple of reasons. First, Pegasus spyware has a unique feature known as “zero-click attack”. It means that your mobile device can be infected without your knowledge or any action on your part. Typically, spyware infiltrates devices when you click on a malicious link or interact with the software. However, in the case of Pegasus, a simple WhatsApp call or message is sent to your mobile and spyware is delivered. The advanced program is highly capable of reading encrypted messages from various applications using sophisticated bypassing techniques.

Secondly, Pegasus software takes control of the mobile device and its functions completely. Besides listening to your conversations and monitoring activities, the phone camera and microphone can be turned on and used. All the data is sent to the Pegasus server and retrieved by the concerned. 

It can do the following:

• Extract information from apps
• Intercept calls
• Read messages
• Get passwords
• Track location
• Access Camera and Microphone
• Collect personal data
• Browsing history
• Emails
• Calendar records
• Screen capturing

Another prominent feature is the self-destruction mechanism to make sure that no evidence is left. Thus, the spyware acts like a ghost without leaving any trace.

How does Pegasus Work?

Pegasus Spyware aims to take total control of a mobile device, and it is achieved by rooting on Android devices and jailbreaking on iOS devices. Both rooting and jailbreaking are used to install applications that are not supported by the Android and iOS systems respectively. However, it removes security controls embedded in the system by the manufacturer. Spyware, in such cases, loads additional software to secure remote access of device functions and data. Pegasus Spyware has designed the infiltration and installation of software in such a way that it remains undetected and unknown by the victim.

Pegasus Spyware Analysis

Prevention and mitigation against Pegasus Spyware would require analysis and understanding of the software, advanced levels of cyber hygiene, and operational security.

Software Installation :The Pegasus Spyware only requires a mobile phone number or the email of the target to do software installation successfully. 

Over-the-Air or OTA : is one installation mechanism where the software sends a push notification to the mobile device. It triggers the device to download the software without the knowledge of the user or action/interaction. 

Enhanced Social Engineering Message : Another method deployed is known as ESEM. A malicious mail or SMS message is shared with the target. As soon as the victim performs the click action, the software gets downloaded. These methods are used when phone numbers and email are available. 

Tactical Installation method : Besides the above-mentioned methods, the tactical installation method is used in the vicinity of the target. First, the phone number is acquired using Base Transceiver Station and installation is done remotely. 

Techniques Used

Pegasus Spyware uses exploit chains to deploy the hacking agent on the mobile device of the target. 

Phase 0x1 – In the first phase, Enhanced Social Engineering Message or ESEM is used by the operator to share the malicious link with the target. As the target clicks on the link, browser vulnerability is exploited to make inroads into the operating system of a mobile device. 

Phase 0x2 – In the second phase, complete control of the device is achieved with kernel-level exploits. Thereafter, the final payload containing hacking modules are installed through kernel level persistence. The operator is then able to install software that enables spying or controlling of applications on the device. 

Phase 0x3 – In phase three, libraries for conducting malicious activities on the device are downloaded. It helps the software to access everything from calls, messages, emails, video content, camera and microphone control etc. 

Pegasus Spyware Attack on iOS

As mentioned, Pegasus software takes control of the iOS devices through jailbreaking. Generally, iOS security is capable of preventing spying software. However, Pegasus uses a technique known as hooking in jailbroken devices. In this method, dynamic libraries of Pegasus are inserted into the normal processes which run on the device. It is used to hook apps using a framework known as Cydia Mobile Substrate. 

The attack on iOS consists of three stages where exploit code and spying software are used. 

Stage 1 – This stage occurs as an HTML file on the initial URL which exploits WebKit vulnerability in browsers. 

Stage 2 – Depending on the iOS device type, the Jailbreak stage is downloaded from the stage 1 code as a package with encryption. As every package comes with unique key encryption, the existing controls are not effective. The code in this stage exploits the iOS kernel CVE-2016-4655 and CVE-2016-4656. A loader also downloads a package and decrypts it for subsequent stage 3.

Stage 3 – It contains the spying software and other processes which are used after the jailbreaking process. In this stage, hooks are installed on applications that need to be spied upon. The software also can eliminate itself in certain conditions. In addition, files in unix tarball standard are deployed which are used for different purposes. Some of them are listed below:

• libaudio.dylib – It is a base library used for call recording 

• libdata.dylib – It is a renamed version of the Cydia substrate 

• libimo.dylib – imo.im sniffer library 

• libvbcalls.dylib – Viber sniffer 

• libwacalls.dylib – WhatsApp sniffer 

• lw-install – Spawns all sniffing services 

• systemd – Used to send reports and files to server

Impact

1. Phase three impacts the phone in several ways. One of them is that mobile devices stop receiving auto-updates in the future. Also, the loader inspects whether the device has been previously rooted or jailbroken. Additionally, Deep Sleep functionality is disabled so that software can keep a tab on its work and performance.

2. Battery status is regularly monitored by the software. It also checks the internet connection and asses the network type. It helps in determining the bandwidth and sharing data. The spyware has stealth communication channels that allow control and command infrastructure. 

3. Data gathering ability is perhaps the most sophisticated element of Pegasus software. It can gather high-value data from everything like Facebook, WhatsApp, SMS, Contacts, Calendar, Gmail, GPS, Wi-Fi passwords, calls etc.

4. Real-time spying is possible by using the mobile phone as an audio and video recorder. As mobile contains digital information, it has become a highly valuable target. 

How can you minimize exposure to spyware?

Although such spyware attacks are carried out without the knowledge of the target, you can always use simple cyber hygiene measures to minimize exposure. Also, it will eventually help you protect yourself from other malware types. 

Links – Click on links from trusted sources alone when using your mobile device.

Updates – Always keep mobile software updated. It is one of the best defence strategies which can be used by the user. 

Limited Access – Password-protect your mobile device using a pin, finger scan or face scan. Do not provide physical access to an unknown person.

Public Internet – Avoid using Wi-Fi services available in public spaces especially when you want to use sensitive data.

Indicators

The experts have found the following malicious domains as part of NSO Pegasus campaign 

• api1r3f4.redirectweburl.com 
• pc41g20bm.redirectconnection.net 
• mongo77usr.urlredirect.net 
• dist564.htmlstats.net 
• css235gr.apigraphs.net 
• pc25f01dw.loading-url.net 
• dbm4kl5d3faqlk6.healthyguess.com 
• img359axw1z.reload-url.net 
• css2307.cssgraphics.net 
• nodesj44s.unusualneighbor.com 
• jsonapi2.linksnew.info 
• img9fo658tlsuh.securisurf.com 
• info2638dg43.newip-info.com 
• img87xp8m.catbrushcable.com 
• img108jkn42.av-scanner.com 
• mongom5sxk8fr6.extractsight.com 
• img776cg3.webprotector.co 
• tv54d2ml1.topadblocker.net 
• drp2j4sdi.safecrusade.com 
• jsj8sd9nf.randomlane.net 
• php78mp9v.opposedarrangement.net
• str1089.mailappzone.com 
• apiweb248.theappanalytics.com

Investigation 

Amnesty International’s Security Lab did an in-depth forensic analysis of mobile devices affected by the Pegasus software from across the globe. It reports the forensic traces left behind on both Android and iOS devices. Suspicious redirects were noticed in browsing history which was achieved via network injection attacks. It was found that the attack was carried out while navigating the internet as well as using other apps. The network database of those affected contained records of suspicious process execution. Amnesty has shared their methodology and tools to investigate and find indicators of the Pegasus spyware.

Diagnosis 

You can take some steps to monitor if your phone is affected by Pegasus Spyware or other malware. Although it is highly unlikely as the software is used to target high profile public personalities.If you see a spike in data usage it is probably due to spyware affecting your phone. Always keep an eye for unknown WhatsApp miscalls, unknown applications, poor mobile performance, permission granted to camera and microphone, application malfunctioning etc. You can also partner with cybersecurity professionals who can help you diagnose your mobile device.