With “Project Pegasus”, Forbidden Stories and Amnesty International have revealed new details about the Pegasus spyware. Known since 2016, and active before, it continues to be used by governments to closely monitor journalists, activists and other political opponents. He holds this longevity in his ability to always find new ways to hack victims’ smartphones.
The latest investigation by the consortium of journalists Forbidden Stories, and the NGO Amnesty International, published on July 18, brings new revelations about the most famous spyware, Pegasus. Its publisher, the Israeli NSO Group, reserves its use for governments capable of spending several million dollars to put a few dozen smartphones under surveillance.
Until now, the number and names of malware victims have been trickling down. But the “Pegasus Project” in which Le Monde participated obtained the list of 50,000 phone numbers targeted by the spyware. Among them, the investigators found those of journalists (from Mediapart and Le Monde in particular), activists, or even people involved in politics. The investigation pushes the historic defense of NSO Group, which claims that its tool is only used in the fight against terrorism.
Once installed on a smartphone, Pegasus becomes the perfect monitoring tool: it can intercept messages, record calls or steal files, among other things. But it is not these capabilities that make spyware so attractive. Where Pegasus stands out is in its ability to deploy easily and discreetly on smartphones, iPhone and Android, despite security updates. Over and over again, NSO Group manages to uncover critical vulnerabilities, and most importantly, to keep them secret long enough.
Unlimited vulnerabilities to hack smartphones
Your smartphone includes a lot of software, starting with its operating system (OS), iOS for iPhone and Android for the overwhelming majority of others. Then, each application (messaging, social networks, games, etc.) that you have installed is additional software on your smartphone.
Each of these software is made up of millions of lines of code, themselves grouped into layers, responsible for different tasks. You can imagine software as a tower with many floors. Except that this tower is special, since it is possible to enter each floor without going through the ground floor.
Like any building, the tower has design flaws. For example, architects may have forgotten to provide a lock on a door that closes access to a significant part of the building. Or, workers may have missed the roof, so the building will be flooded in heavy rains when it was designed to be waterproof.
Dozens of vulnerabilities per software, every month
In computer science, these design flaws are known as “bugs,” and they cause software to behave unexpectedly. Some bugs have minor consequences – like layout errors – others can prevent the software from working properly. And sometimes, the bug allows an outside person to exploit the software to his advantage: we will then speak of vulnerability, or flaw. Here again, the spectrum of action is wide: a vulnerability can allow access to protected data, display a message or even take control of the device on which the software is installed.
Fortunately, these vulnerabilities can be repaired by “fixes” or “patches” deployed by the software publisher. For example, Google publishes several dozen per month for Android. But the software also regularly receives updates to provide new functionalities, which are all new layers of software that may contain vulnerabilities. The result: the process of finding and fixing flaws is an endless cycle, which means that no system is ever 100% secure.
Pegasus excels at discovering new ways to hack
In order for spyware like Pegasus to be effective, it needs to install itself discreetly on the targeted device and then obtain numerous permissions to perform its surveillance job. All without being noticed by the user: for example, a notification ” do you allow the X software to read your messages »Would arouse suspicion.
To achieve this, hackers will exploit the vulnerabilities of various software installed on the victim’s device, and this is where Pegasus stands out. The majority of hackers are content to exploit known flaws on devices that are not up to date. But cutting-edge groups, like NSO Group, go further: they discover ” zero day “. This nickname is given to vulnerabilities unknown to the software publisher, which therefore have no patch. In other words, a ” zero day Can in theory be used against any device where the software is installed. Then, charge the entity that discovered the flaw to keep it secret to benefit from it as long as possible. This is where NSO Group’s targeted espionage activity works in its favor: the relatively low number of victims and the discretion of surveillance prevent publishers from spotting loopholes.
For example, NSO Group took advantage of an iMessage flaw for a year to deploy Pegasus on iPhones. All he had to do was send a malicious message to the victim, who got infected with the spyware without further interaction. The vulnerability – particularly serious – was eventually corrected, but the company had already found others, exposed by Amnesty. In its article on the history of NSO Group, Le Monde specifies that “ three quarters of the more than 700 employees Company are dedicated to finding vulnerabilities. A significant strike force that allows him to regularly discover vulnerabilities in OS or third-party software like WhatsApp, so that he can constantly deploy Pegasus, despite the patches.
The good news about this mode of operation is that Pegasus is expensive to develop, which prevents it from becoming a mainstream tool. The bad news is that NSO Group is just one company among other sellers of cutting edge spy tools. Last week, Microsoft revealed the existence of “DevilsTongue” spyware created by the Israeli company Candiru, which exploited among other things unknown vulnerabilities of Windows.