News
Kaspersky comment: What is Pegasus spyware?
July 2021 by Dmitry Galov, security researcher at GReAT Kaspersky
Following news today that a list of more than 50,000 phone numbers believed to be of interest to the government clients of Israeli surveillance company NSO Group has been leaked, please find a comment below from Dmitry Galov, security researcher at GReAT. In this comment, Dmitry explains the functionality of Pegasus and how vulnerabilities can be exploited by cybercriminals.
What is Pegasus?
Pegasus is a modular spyware for iOS and Android. Back in 2016, an iOS version of Pegasus was discovered. Later, a version for Android was also found, which is slightly different from the one for iOS devices. One of the main infection schemes is as follows: the victim receives an SMS with a link, if a person clicks on it, his device gets infected with the spyware. Moreover, according to public information, in order to infect iOS, the spyware exploits zero-day vulnerabilities found in the system.
Even when we studied Pegasus for Android in 2017, it was able to read the victim’s SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history. And that’s not all of its functionality. It is also worth noting that Pegasus is a rather complex and expensive malware, designed to spy on individuals of particular interest, so the average user is unlikely to encounter it.
How common are such vulnerabilities that allow people to be spied on? Are there any such examples available on the darknet now, and how unique is this service in general?
It is worth distinguishing between two concepts: spyware and vulnerabilities. Pegasus is a spyware with versions for both iOS and Android devices. Even when we studied Pegasus for Android in 2017, the perpetrator could read the victim’s SMS and emails, listen to calls, take screenshots, record keystrokes, and access contacts and browser history. And that’s not all of its functionality.
Moreover, it is known that in order to infect iOS, the spyware exploits zero-day vulnerabilities found in the system. These are vulnerabilities that the developer does not know about and for which a fix has not yet been released, but which can be exploited by cybercriminals to implement a variety of types of attacks, including targeted attacks aimed at specific organisations or people. Both spyware and zero-day vulnerabilities can be sold and bought by various groups, on the darknet. The price of vulnerabilities can reach $2.5 million - this is how much was offered in 2019 for the full chain of vulnerabilities in Android. Interestingly, that year, for the first time, an Android vulnerability turned out to be more expensive than an iOS vulnerability.
What should users do to stay protected?
The best way to stay protected against such tools is to provide as much information on these cases as it possible, to related software and security vendors. Software developers will fix the vulnerabilities exploited by the attackers and security vendors will take measures to detect and protect users from them.
