Pegasus are very Well Versed with the Vulnerabilities of iOS and Android OS

- Nikhil S. Mahadeshwar, Co-founder & CTO, Skynet Softtech Pvt. Ltd.


Pegasus is one of its kind of undetectable spyware developed by NSO Group which belongs to Israel. There are several spywares available into the spyware industry or on the dark web, but we can say that Pegasus is one of its kind; it has proved itself by bypassing the security of Apple and Google who are ruling the smartphone industry. The spyware is designed specifically in such a way that it can spy on your contacts, call logs, SMS, WhatsApp chats, photos, videos, camera, location, microphone etc., so the device is physically with you but virtually accessed by someone else.

The spyware’s cost is so high that only Government agencies or high profile people can afford it. The technology used in designing the Pegasus spyware makes it unique which is why the cost of Pegasus is so high and as per the NSO Group, they sell such type of spyware only to the Government agencies and not to other private agencies.

It seems that the designers or developers of Pegasus are very well versed with the vulnerabilities of iOS and Android operating systems and have studied them in depth. And the very first time when the attack scenario was placed in 2016, the attack for IOS was because of Few CVE, which is Common Vulnerabilities Exploitation which Apple had identified and patched in the next update but the question still remains about the affected users in the outdated version of iOS and iOS Security team not that reluctant in testing the iOS System in the security aspect of which the developers of the Pegasus took advantage of.

Given Below is list of CVE’s

  • CVE-2016-4655: Memory Corruption in Webkit
  • CVE-2016-4656: Kerel Information Leak
  • CVE-2016-4657: Kernel Memory corruption leads to Jailbreak

Few samples of Pegasus were observed in the year 2019 on the victims’ phone which were injected using a network. Safari browser was used to exploit the payload. Also Apple music and Apple photos were used to exploit the spyware in 2019. Spyware was installed in message through a zero click technology and was observed in the phone of the French journalist in June and August 2019/ Same modest operandi was observed in the Hungarians’ iPhone. So once the spyware is inside the phone, either via iMessage or via Safari or music or any network which was possible in the 2019 variant and now when we see the latest variant of Pegasus that is getting injected through FaceTime missed calls and iMessage zero click technology and zero-day technology. Pegasus gets installed in your phone pretending to be binary of iOS systems and processes of iOS operating systems. Once it is inside your phone, it sends all your data present in your phone including photos, videos, call logs etc. to unauthorized API’s. Some of the servers which were identified were conducted by Amnesty international. The servers were Amazon Web Service, Digital Ocean, Linode LLC, Upcloud Choopa, OVH Saas, Virtual System LLC, HZ Hosting Limited. After reporting, Amazon suspended their hosting services. These servers were set up in multiple countries including Germany, United Kingdom, Switzerland, USA, Ukraine, Canada, France, Finland, Netherland, India, Austria, Japan, Singapore, Bulgaria, Lithuania and Bahrain out of which 3 servers were planted in India. According to them it seems that, Pegasus has well planted the spyware so that even if 1 server fails they will have multiple hosting providers which are present as a backup in multiple countries. As per my view, there are countries wherein servers also have some restrictions such as spied type of data storage and transmission and that is the reason they have multiple servers and are planted in multiple countries. As this spyware is not evolved in 2021, it seems that NSO Group has been working on it since 2010, 2014, 2016, and 2017. Investigative agencies have got the traces of Pegasus installed in journalist mobile devices. It was Carmen Aristegui, a Mexican journalist and Maati Monjib from Morocco, a Human Rights Defender whose mobile devices were suspicious.  It was expected from iOS and Android platforms that they had to be ready for such types of attacks and should be able to secure their users from such types of attacks.

So today we use smartphones for everything. Our personal life and professional life is surrounded by smartphones. Our work emails and family chats have been dependent on smartphones. But we are not aware about the vulnerabilities present in these phones. You might use either iOS and Android phones but the vulnerability is present in each device. No smartphone can claim that it is 100% secure and hackers always exploit the vulnerabilities from the backdoors. Securing any smartphone is a continuous process and not a one-time process. So whatever we are using should always be updated. The security patch level should always be updated and whenever you get a security update you must update it immediately and the application in our phones should be from authentic sources only and not any other unknown sources. Installing any of the applications via sharing applications or any unknown source may lead to injection of spyware. There are many spywares present in the spyware market, but it’s just that Pegasus has been highlighted because it is undetectable and it has affected high profile people including journalist, politicians, human right activist, but other spywares are being used in compromised smartphones for different reasons such as spouses spying on their partners, business tycoons spying on their rivals, politicians spying on their rivals in an unlawful manner. So the vulnerabilities are present and we cannot declare that our smartphones are safe because we declare it as safe. There are new security researchers who are researching on the current version, which companies say that is secure which finds some vulnerabilities and they exploit or they report it to the respective authorities which reside in your digital place. From reporting those vulnerabilities, they are patched but there still arises a question of what about the upcoming vulnerabilities? In the latest update that still remains the question which is why we can’t say that smartphones are 100% secure. But there are also various anti-hacking solutions, anti-spying solutions, anti-phishing solutions and paid Wi-Fi security solutions which can secure your devices from such cyber-attacks. Smartphones are not the only pathway for hackers to exploit, they can also enter a device which is accessing common Wi-Fi.

Even before Pegasus, there were spywares available in the market and people are using it for unethical, personal and professional purposes to get the data. Pegasus incident is an eye opener for high profile personnel and the common people. Currently the high profile people are target of the spyware andwe can’t deny that layman’s data are also very important and is also at stake and by similar spywares like Pegasus.

Here I would like to say that money is not the ultimate motive, there might be other personal interests like power too. So understand the power games to create honey trap victims and get the data which could embarrass the victims as everyone has their own privacy and almost everyone who uses smartphones has a password, face-id or touch security and there is a reason people are using digital vault. The intention of the people who are using spyware to spy is not only money, but to get personal and professional information data also and misuse it or spoil the reputation. In some cases, it is done to disturb the victim mentally.

The lesson that the users should learn from this is that, vulnerabilities can be exploited in anyone’s phone and this is just a start. The data which has been collected from Pegasus attacks, are now stored on different servers, NSO Group and end engineers for which we are not aware about when and where our data will be exploited or being misused. Even we are not aware with agreements made with the internal server and NSO Group. 

So another attack can be on you as well, even if Pegasus doesn’t attack, there are different spywares which can attack. There are certain preventive measures which users should follow on a regular manner. These measures are to update their operating system, update the applications, always download app from authenticated sources, do not turn USB Debugging mode on to stay alerted from Juice Jacking attacks, always use paid cyber security applications, also use vault applications to secure your confidential data, always have authentication factor along with it while giving your device to anybody else.

The lesson which mobile manufacturers should learn is patching the vulnerabilities and not ignoring vulnerabilities given by independent security researches or big companies giving vulnerabilities. Many a time, it happens to save the bounty amount companies basically ignore the vulnerabilities and do not take that seriously. If the security researchers are not happy with the result they may abolish the vulnerabilities and it might be a zero-day attack which should be learnt by mobile manufacturers that take every report seriously and work on the same and patch it as soon as possible. Talking about iOS as it is very restricted and talking about Android as its open source it’s more vulnerable as different mobile makes creates different UI’s. For instance, One Plus has different Oxygen OS and Android has different Oxygen OS and have their own vulnerabilities and when we talk about iOS, it is sticked only to specific models. If we see that the Pegasus attacks have been vulnerable on iOS, as the Pegasus developers have targeted their clients along with the iPhone have been marketing that their phone is the most secure phone.

In this technological era, it is really difficult for the countries or investigating agencies of public & private to detect such types of attacks and one of the reasons behind it is using anti forensic techniques. For instance, Pegasus is self-destructive and then too it leaves few traces and but those few traces are not enough as an evidence to prove the end point of the data and where it started from and where it’s going. Hence, we are getting information in pieces which is misleading investigators and the anti-forensic techniques which are used for such type of attacks so that their attacks should not get detected. So more and more forensics technology should be developed and focused government agencies should be working on detecting such types of attacks using digital forensics investigating techniques which is my view as a Digital Forensic Investigator.

As a digital forensics investigator, looking at this incident, I feel that we are heading towards a spyware war because there are spyware technologies which were also previously available and Pegasus has set up a benchmark. And tomorrow, a new Pegasus might be erupted by NSO group or any other groups. What should be learnt from this is that, operating system companies like iOS and Android and other manufacturing companies, cyber security companies and other digital forensics investigation companies should be ready for such types of attacks which were previously targeted on corporate, but soon might knock your door as well or are currently knocking your door which you might not know. So be updated and be ready with Cyber security solutions so that you might not be able to eliminate the risk but you might be able to minimize the risk. As a responsible citizen of the country you should also be a responsible netizen as well. Use the technology responsibly.