Rogue Military-Grade Pegasus Spyware Targets Journalists Globally

Pegasus Spyware has been discovered to be the culprit behind human rights violations after a sweeping probe into a data leak of more than 50,000 phone numbers revealed surveillance affecting heads of state, activists, journalists, and lawyers around the world. Pegasus was created by the Israeli company NSO Group who claims the software is “military-grade spyware”. The “Pegasus Projection” is a collaborative investigation by more than 80 journalists from a consortium of 17 media organizations in 10 countries coordinated by Forbidden Stories, a Paris-based media non-profit, along with the technical support of Amnesty International.

“The Pegasus Project lays bare how NSO’s spyware is a weapon of choice for repressive governments seeking to silence journalists, attack activists, and crush dissent, placing countless lives in peril,” Amnesty International’s Secretary-General, Agnès Callamard, said.

“These revelations blow apart any claims by NSO that such attacks are rare and down to rogue use of their technology. While the company claims its spyware is only used for legitimate criminal and terror investigations, it’s clear its technology facilitates systemic abuse. They paint a picture of legitimacy while profiting from widespread human rights violations,” Callamard added.

NSO Group is the creator of Pegasus Spyware, which when installed on victims’ iPhone and Android devices, enables an attacker to harvest emails, SMS messages, media, calendars, calls, and contact information, as well as chat content from messaging apps like WhatsApp, Telegram and Signal, and stealthily activate the phone’s microphone and camera.

The company is a surveillance vendor and sells to a number of governments worldwide. NSO Group calls itself “the world leader in precision cyber intelligence solutions for the sole use of vetted-and-approved, state-administered intelligence and law enforcement agencies.”

The list of numbers in the probe does not include names but is said to contain hundreds of business executives, religious figures, academics, NGO employees, union officials, and government officials, with the probe uncovering NSO Group clients in at least 11 countries, including Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Togo, and the U.A.E.

The investigation has identified 180 journalists and over 600 politicians in over 50 countries. The timeline of the attacks spread over a seven-year period from 2014 up to as recently as July 2021. Rwanda, Morocco, India, and Hungary denied having used Pegasus Spyware to hack the phones of the individuals named in the list.

A forensic analysis of 67 mobile devices showed the intrusions involved the ongoing use of so-called “zero-click” exploits — which do not require any interaction from the target — dating all the way back to May 2018. Many “zero-click” exploits are carried out by leveraging multiple zero-day vulnerabilities in popular apps like iMessage. iMessage was one of the most targeted apps by Pegasus Spyware.

“All this indicates that NSO Group can break into the latest iPhones,” Citizen Lab’s Bill Marczak said in a series of tweets. “It also indicates that Apple has a MAJOR blinking red five-alarm-fire problem with iMessage security that their BlastDoor Framework (introduced in iOS 14 to make zero-click exploitation more difficult) ain’t solving.”

Of the tested smartphones, 23 devices had been successfully infected with Pegasus Spyware, and 15 exhibited signs of attempted penetration, the Washington Post said in an in-depth report.

“The coming week’s stories about the global hacking of phones identical to the one in your pocket, by for-profit companies, make it clear that export controls have failed as a means to regulate this industry,” U.S. whistleblower Edward Snowden tweeted. “Only a comprehensive moratorium on sales can remove the profit motive.”

This is not the first time Pegasus Spyware has been in the spotlight. In October 2019, Facebook-owned WhatsApp revealed that at least two dozen academics, lawyers, Dalit activists, and journalists in India were the target of unlawful surveillance by taking advantage of a then-unpatched vulnerability in the messaging service.

WhatsApp has since taken the company to court in the U.S., citing evidence that “the attackers used servers and Internet-hosting services that were previously associated with NSO.”

NSO has disputed the allegations, stating the investigation is “full of wrong assumptions and uncorroborated theories that raise serious doubts about the reliability and interests of the sources,” while stressing that it’s on a “life-saving mission” to “break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children, locate survivors trapped under collapsed buildings, and protect airspace against disruptive penetration by dangerous drones.”

“After checking their claims, we firmly deny the false allegations made in their report,” the company added. “Their sources have supplied them with information which has no factual basis, as evident by the lack of supporting documentation for many of their claims. In fact, these allegations are so outrageous and far from reality, that NSO is considering a defamation lawsuit.”

Pegasus Spyware Analysis

Note: This Analysis was carried out by LookOut.

The attack is very simple in its delivery and silent in delivering its payload. The attack starts when the attacker sends a website URL (through SMS, email, social media, or any other message) to an identified target. The user only has to take one action–click on the link. Once the user clicks the link, the software silently carries out a series of exploits against the victim’s device to remotely jailbreak it so that the espionage software packages can be installed.

The user’s only indication that anything happened will be that the browser closes after the link is clicked. The espionage software contains malicious code, processes, and apps that are used to spy, collect data, and report back what the user does on the device. Pegasus spyware can access and exfiltrate messages, calls, emails, logs, and more from apps including, but not limited to:

In order to accomplish this, the spyware, once it jailbreaks the user’s phone, does not download malicious versions of these apps to the victim’s device in order to capture data, rather it compromises the original apps already installed on the device. This includes pre-installed apps such as Facetime and Calendar and those from the official App Store.

Usually, iOS security mechanisms prevent normal apps from spying on each other, but spying “hooks” can be installed on a jailbroken device. Pegasus Spyware takes advantage of both the remote jailbreak exploit and a technique called “hooking.” The hooking is accomplished by inserting Pegasus Spyware’s dynamic libraries into the legitimate processes running on the device. These dynamic libraries can be used to hook the apps using a framework called Cydia Mobile Substrate, known to the iOS jailbreak community, and which Pegasus Spyware uses as part of the exploit.

A user infected with pegasus spyware is under complete surveillance by the attacker because, in addition to the apps listed above, it also spies on:
• Phone calls
• Call logs
• SMS messages the victim sends or receives
• Audio and video communications that (in the words a founder of NSO Group) turns the phone into a “walkie-talkie”

Access to this content could be used to gain further access into other accounts owned by the target, such as banking, email, and other services he/she may use on or off the device. The attack is comprised of three separate stages that contain both the exploit code and the espionage software. The
stages are sequential; each stage is required to successfully decode, exploit, install, and run the subsequent stage. Each stage leverages one of the Trident vulnerabilities in order to run successfully.

STAGE 1 Delivery and WebKit vulnerability
STAGE 2 Jailbreak
STAGE 3 Espionage software

The third stage deploys a number of files deployed in a standard unix tarball (test222.tar), each of which has its own purpose:

• ca.crt – root TLS certificate that is added to keystore (see Appendix A)
• ccom.apple.itunesstored.2.csstore – Standalone javascript that is run from the command line at reboot and is used to run unsigned code and jailbreak the kernel on device reboot
• converter – injects dylib in a process by pid. It is a renamed version of the cynject from the Cydia open-source library
• libaudio.dylib – The base library for call recording
• libdata.dylib – A renamed version of the Cydia substrate open-source library
• libimo.dylib – imo.im sniffer library
• libvbcalls.dylib – Viber sniffer
• libwacalls.dylib – Whatsapp sniffer
• lw-install – Spawns all sniffing services
• systemd – Sends reports and files to server
• watchdog
• workerd – SIP module

The attack investigated works on iOS up to 9.3.4. The developers maintain a large table in their code that attacks all iOS versions from 7.0 up to and including iOS 9.3.3. While the code we investigated did not contain the appropriate values to initially work on iOS 9.3.4, the exploits we investigated would still work, and it is trivial for the attackers to update the table so that the attack will work on 9.3.4.