Pegasus: The phantom threat lurking in your phone

Illustration: TBS

Today, our smartphones have become extensions of our personal and professional lives.

Since our digital footprints are as ubiquitous as real ones, the idea of an invisible observer lurking within these devices is both chilling and unsettling, as well as a massive invasion of our privacy.

That is why Pegasus, an insidious spyware, can be considered the single biggest threat to privacy ever.

A spyware is any malicious software designed to enter your computer device, gather your data, and forward it to a third-party without your consent.

Pegasus today has become a byword for invasive surveillance. Its origins can be traced back to 2010, when the Israeli firm NSO Group was founded by Niv Carmi, Omri Lavie, and Shalev Hulio.

The company marketed Pegasus as a tool for governments to combat terrorism and crime, offering them unprecedented access to the devices of suspects. Unlike other spyware, Pegasus is not an off-the-shelf product but a bespoke tool tailored for specific targets, making it particularly attractive to state actors.

However, the true scale of Pegasus's deployment came to light in July 2021, with the publication of the Pegasus Project by a consortium of 17 media organisations, including The Guardian, Le Monde, and The Washington Post, in collaboration with Amnesty International and Forbidden Stories.

This investigation revealed that Pegasus had been used to target over 50,000 phone numbers worldwide, belonging to journalists, activists, business executives, and politicians.

How Pegasus works

Many experts believe Pegasus is the most powerful spyware created till date. It is designed to infiltrate smartphones — both Android and iOS — and turn them into surveillance devices.

Pegasus exploits undiscovered vulnerabilities, or bugs, in Android and iOS. This means a phone could be infected even if it has the latest security patch installed.

A previous version of the spyware from 2016 infected smartphones using a technique called "spear-fishing": text messages or emails containing a malicious link were sent to the target. It depended on the target clicking the link — a requirement that was done away with in subsequent versions.

By 2019, Pegasus could infiltrate a device with a missed call on WhatsApp and could even delete the record of this missed call, making it impossible for the user to know they had been targeted.

Once inside a device, Pegasus can access messages, emails, photos, and even control the camera and microphone, turning the smartphone into a real-time surveillance tool.

Pegasus attacks across the world

The Jamal Khashoggi case: One of the most high-profile cases linked to Pegasus is the murder of Saudi journalist Jamal Khashoggi. According to reports, Pegasus was used to target Khashoggi's inner circle, including his fiancée Hatice Cengiz and close associates, before and after his assassination in the Saudi consulate in Istanbul in 2018.

Mexican journalists and activists: In Mexico, Pegasus was used extensively to target journalists and activists, particularly those investigating corruption and organised crime. One of the most notable cases involved the surveillance of journalist Carmen Aristegui, who was known for her work exposing corruption at the highest levels of the Mexican government.

Bangladesh and Pegasus

In 2018, Canada-based cybersecurity organisation Citizen Lab documented suspected Pegasus infections in 45 locations. Bangladesh was named among the locations mentioned in their list.

Between August 2016 and August 2018, Citizen Lab scanned the internet for servers associated with NSO Group's Pegasus spyware. They found 1,091 IP addresses that matched its fingerprint and 1,014 domain names that pointed to the addresses.

Citizen Lab identified five operators that they believed were focusing on Asia. One operator, GANGES, used a politically themed domain signpetition[.]co, to infect devices in Bangladesh, India, Pakistan, Brazil and Hong Kong.

After analysing the DNS cache hits, they suspected Bangladesh Telecommunications Company Limited (BTCL) of being infected by the spyware for political targeting. Bangladesh's then Posts and Telecommunications Minister Mustafa Jabbar, denied such allegations.

Article 43(B) of the Bangladesh Constitution safeguards citizens' privacy of correspondence and communication. Section 63 of the ICT Act, 2006 provides penalty for disclosure of confidential and private electronic record, book, register, correspondence, information, document, or other material without consent of the person concerned.

The ethical dilemma

The NSO Group insists that Pegasus is a legitimate tool for law enforcement and intelligence agencies, emphasising that it is only sold to vetted government clients.

However, the cases outlined above, along with numerous others, suggest that Pegasus has been misused on a global scale, targeting individuals far removed from the realms of terrorism or crime.

On the other hand, the potential for abuse is immense, with little transparency or oversight governing how these tools are used.

Legal and regulatory responses

The revelations about Pegasus have prompted legal and regulatory actions around the world.

In the US, the Biden administration blacklisted the NSO Group in November 2021, citing concerns that Pegasus had been used to "conduct transnational repression." This move severely restricted the company's ability to do business with American firms and marked a significant shift in the global stance on spyware.

In Europe, the European Parliament launched an inquiry into the use of Pegasus and similar spyware within the EU, particularly in Poland and Hungary, where the software was allegedly used against political opponents and independent journalists.

The inquiry has led to calls for stricter regulations and greater accountability for companies that develop and sell spyware.

Detecting Pegasus

Because of its discreet installation, Pegasus could only be identified through digital forensics in the past. Kaspersky Labs has developed a tool that extracts, analyses, and parses the shutdown.log file, making it easier to locate any malicious signatures. For optimal results, it is crucial to reboot the device on the same day it gets infected with Pegasus.

Amnesty International has recently launched the Mobile Verification Toolkit, a powerful open-source utility that aims to identify any signs of Pegasus.

The software operates on a personal computer and examines data, including backup files exported from an iPhone or Android phone.