Skip to content

The Powerful and Controversial Spyware: Pegasus

Pegasus is sophisticated spyware marketed for government surveillance of criminals and terrorists. However, its apparent use to target political opponents, journalists, activists and critics has sparked outrage and calls for better regulation of commercial spyware. As one of the most advanced and full-featured malware products available, Pegasus offers incredible surveillance capabilities but in the hands of repressive states, it poses major risks to privacy rights and democracy.

What Makes Pegasus So Powerful?

Pegasus is extremely advanced malware because of its ability to exploit little-known vulnerabilities in mobile operating systems. Most malware relies on users clicking on infected links or opening attachments, but Pegasus operators use more sophisticated techniques:

Zero-day exploits

Pegasus repeatedly checks your device software for undisclosed flaws known as zero-day vulnerabilities (because there are zero days to create a fix). If found, Pegasus can use the flaw to silently hack your phone without any action on your part.

iMessage zero-click

In 2021, Apple issued emergency software updates after finding Pegasus installing itself via a zero-click iMessage exploit. Simply receiving the malicious message was enough for infection.

Network injection attacks

Operators can inject malware into internet traffic going to and from a target‘s mobile device, thanks to weaknesses in SS7, GPRS, and other telecom protocols.

These advanced tactics mean Pegasus can infect devices with no action – or even knowledge – on the part of victims. And because the vulnerabilities are often unknown even to Apple and Google, there is little users can do to detect or resist attacks.

Unrivaled Surveillance Capabilities

Once installed on an iOS or Android phone, the Pegasus payload reveals almost total monitoring of a target‘s activities:

  • Call logs, SMS records, contacts
  • Emails, browsing history
  • Photos, videos
  • Microphone and camera feeds
  • Precise geolocation tracking
  • Wi-Fi network passwords

These extensive surveillance capabilities rival those of intelligence agencies according to reports. Pegasus not only monitors devices, but can exfiltrate private data like messages, photos, and emails.

Researchers also uncovered Pegasus versions targeting cloud-based apps like Gmail and Facebook. Even encrypted chats on apps like WhatsApp and Signal offer little protection since Pegasus steals messages before encryption is applied.

Some [infographic showing capabilities]

Pegasus also covers its tracks by self-destructing if forensics are attempted on an infected device. With hundreds of sophisticated features, it‘s one of the most full-featured surveillance tools ever discovered.

Mass Infection of Devices

In July 2021, the Pegasus Project revealed NSO clients submitted over 50,000 phone numbers as potential targets. Further analysis found evidence of attempted or successful Pegasus infections on 37 phones.

[Table of phones found infected by Pegasus]

This indicates Pegasus is being used for large-scale surveillance of mobile phone owners – potentially entailing thousands of devices compromised worldwide.

Upgrades Expand Attack Vectors

Since its discovery in 2016, NSO Group has released improved versions of Pegasus with additional reconnaissance modules:

Pegasus Version 3 – Added in 2016, this upgrade targeted Android devices and added self-destruct mechanisms along with new exploits.

Pegasus Version 4 – Discovered in 2018, expanded cloud app capabilities to harvest data from Google Drive, Facebook Messenger etc.

Pegasus for iMessage – Revealed in 2021, NSO spent millions discovering zero-click exploits attacking the iPhone‘s iMessage app specifically.

Phantom – A newly revealed NSO spyware focused entirely on brute-forcing passwords and extracting data from Windows, MacOS and Linux devices.

These ongoing upgrades make Pegasus both broader and more difficult to detect. And by expanding from phones to computers, NSO Group ensures near complete monitoring of targets across all devices.

The Market for Spyware

While figures on spyware sales are hard to confirm, researchers estimate from public records that NSO charges government clients approximately $7 million to $8 million for each 300-phone installation of Pegasus.

[Pricing table for Pegasus packages]

With over 45 government clients, Pegasus sales and maintenance contracts could easily generate NSO Group around $200 million a year. And countries clearly believe the capabilities offered by Pegasus justify the high costs. For authorities seeking to infiltrate criminal networks or monitor terror suspects while staying undetected themselves, extremely advanced malware like Pegasus fits the bill.

Of course, as we‘ve seen in many cases, countries also use this surveillance power against political opponents, reporters, activists and other non-criminals. This further expands the addressable market for spyware tools.

The Ethics of Commercial Spyware

While NSO Group only sells Pegasus to military, law enforcement and intelligence agencies, there are few real barriers to its misuse and abuse in practice. And as one of the most sophisticated malware tools known, Pegasus poses exceptional risks to rights and liberties around the world.

Some argue the companies behind this market for offensive hacking tools cannot reasonably prevent authoritarian regimes misusing malware to crush dissent. Campaigners in Israel recently filed a lawsuit aiming to revoke NSO Group‘s export license claiming that:

"NSO continues to sell its products to authoritarian regimes, which habitually misuse surveillance software to commit horrible human rights violations."

Many civil rights groups now argue that commercial spyware needs tighter national and international regulation to restrict sales. However others claim preventing access to tools like Pegasus will only ensure that criminals and terrorists will have access to encryption and security technologies that governments will not.

Technologists argue the only real solution lies in building inherently secure devices and networks that offer robust encryption. But software exploits and vulnerabilities will always exist to some extent, allowing extremly advanced malware like Pegasus to keep flourishing.

Mitigating Mobile Threats Like Pegasus

Given it exploits undisclosed flaws and vulnerabilities, Pegasus is almost impossible to detect or mitigate once installed on a device. Security researchers suggest:

  • Keep phones up-to-date to ensure all publicly disclosed exploits are patched
  • Avoid sideloading apps from third-party stores that may be compromised
  • Install security apps that may detect some exploit attempts
  • Limit use of messaging apps now thought vulnerable like WhatsApp
  • Use disposable burner phones for activities that may attract state-sponsored attackers

But these cannot guard against zero-day or zero-click exploits that Pegasus employs. Ultimately, as mobile surveillance tools continue to advance, we may well have to accept extremely skilled and resourced attackers will often gain access. The only remedy lies in developing more secure protocols, networks and devices over the longer term.

The Era of Ultra-Sophisticated Spyware

As smartphone usage explodes worldwide, powerful spyware that subverts these devices is increasingly in demand. Pegasus represents the current state-of-the-art in stealthy mobile surveillance from both a technical and commercial perspective. Features once limited to nation-state cyber programs are now productized inside advanced threats like this.

And while the known cases of journalists, activists and politicians targeted unjustly garner headlines, undoubtedly Pegasus allows law enforcement to dismantle major crime gangs and monitor terror plots mostly away from the public eye. However, the risk of misuse coupled with enhanced encryption means state authorities enjoy an increasingly disproportionate surveillance advantage over ordinary citizens. Reconciling privacy rights with public safety is thus one of the defining challenges in coming years for this era of ultra-sophisticated spyware.