Protect Yourself from Powerful Pegasus Spyware
Revelation of potential Pegasus targets
First uncovered by Lookout and Citizen Lab in 2016, the highly advanced mobile spyware Pegasus was recently confirmed to have been used on business executives, human rights activists, journalists, academics and government officials.
In a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organizations found a high concentration of individuals from countries known to engage in surveillance. These regions are also known to have been clients of the NSO Group, an Israeli-based company behind the development of Pegasus and a known leader in the unregulated spyware industry.
Even if your phone number isn’t on the list, this revelation illustrates that tablets and smartphones aren’t immune to cyberattacks and spyware doesn’t just target people in government organizations. Android and iOS devices are now an integral part of how we work and manage daily lives. That means cyberattackers can steal a wealth of sensitive data from these devices, including sensitive personal information and proprietary corporate data.
What is Pegasus?
Once considered the most advanced mobile spyware in the world, Pegasus can be deployed on both iOS and Android devices. Since its discovery, the spyware has continued to evolve. What makes Pegasus highly sophisticated is the control it gives the malicious actor over the victim’s device, the data it can extract, and its evolution into a zero-click payload.
Pegasus can extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It can also turn on the devices’ microphone to eavesdrop on private in-room conversations or phone calls and activate the camera to record video.
For years, the NSO Group has denied that Pegasus is used by malicious actors. The firm claims that it only sells Pegasus to the intelligence and enforcement community of about 40 countries and that all prospects’ human rights histories are rigorously vetted. The 2018 assassination of journalist Jamal Khashoggi raised significant doubt about this because it was widely believed that the Saudi government tracked Khashoggi by compromising his mobile phone with Pegasus.
Citizens and governments alike should be co ncerned
This revelation of how widely Pegasus spyware is used should alarm all citizens, not just government entities. The commercialization of spyware, similar to phishing tools, puts everyone at risk.
Mobile devices can access the same data as a PC from anywhere. This dramatically increases the attack surface and risk for organizations because mobile devices are typically used outside the security perimeter. This makes any executive or employee with access to sensitive data, technological research or infrastructure, a lucrative target for cybercriminals.
While mobile OS and app developers are constantly improving the security of their products, these platforms are also becoming more complex. This means there will always be room for vulnerabilities to exploit and for spyware like Pegasus to thrive.
Mobile phishing attacks remain at the root
As much as things may change, mobile phishing remains the most effective first step for cyberattackers. Just like other mobile malware, Pegasus is typically delivered to its victims through a phishing link. The most effective delivery of phishing links is with social engineering. For example, Pegasus was brought to our attention by a journalist who was sent a link from an anonymous mobile number promising tips about a human rights story they were working on.
While Pegasus has evolved to a zero-touch delivery model — meaning the victim doesn’t need to interact with the spyware for their device to be compromised — the link hosting the spyware still has to reach the device. Considering the countless iOS and Android apps that have messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or even dating apps.
How these attacks work and how Lookout can help protect you
The advanced tactics used by Pegasus are similar to many other Advanced Persistent Threats (APTs). Here is how Lookout can help protect your organization in the context of these principal tactics that APTs use to carry out an attack:
The first step for Pegasus and any APT is usually through phishing. Lookout Phishing and Content Protection (PCP) can protect your organization against each of the following scenarios that Pegasus and other APTs use:
- Pegasus can be executed as a zero-click or one-click infection. Regardless of which tactic is used, the actual spyware software package payload is still loaded over the network.
- Admin Action: Enable PCP across your entire mobile fleet and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.
- How Lookout does it: Lookout continuously discovers, acquires, and analyzes newly registered domains and websites to uncover those that are purpose-built for phishing and malicious purposes. Lookout PCP enables us to provide near real-time protection against zero-hour phishing attacks.
Spyware frequently exploits vulnerabilities at both the app and device level in order to gain access to the OS of the device or exfiltrate data from particular parts of the system.
- The Lookout app can detect when an app vulnerability is present on the end-user device and when the device is running an OS or Android Security Patch Level (ASPL) version with known vulnerabilities. In each case, Lookout can alert both the user and the admin.
- Admin Action: Enable a required minimum OS or ASPL version policy and the vulnerable app version policy. Require users to update their device and apps to the latest versions if they want to be granted access to company resources.
- How Lookout does it: Lookout Mobile Vulnerability Management discovers all known Common Vulnerabilities and Exposures (CVE) for both iOS and Android at the OS and app level. It will automatically flag devices in your fleet that have any vulnerabilities present.
Pegasus and other APTs will silently jailbreak or root the victim’s device. Also, while zero-day exploits by their nature aren’t known, they leave the system in a compromised state. Lookout Mobile Endpoint Security can protect your organization’s mobile fleet from these exploits in the following ways:
- The Lookout can detect the indicators of device compromise and alert users. Detection is based on a wide variety of data including file system data, system behavior and parameters.
- Depending on the details of the spyware package, such as how it operates or where it sits on the device systems, it may produce traces that the Lookout detection code can identify.
- Admin Action: Ensure the default Root/Jailbreak policy is activated, set the priority to high, and set the action to alert the device and block access to the internet.
- How Lookout does it: Lookout continuously ingests malware artifacts and telemetry from the mobile ecosystem. This feeds their machine intelligence to automatically identify malicious behavior across any device or app.
Similar to other malware, Pegasus will communicate with a command-and-control (C2) server from which it will take orders from the malicious actor and to which it will send exfiltrated data.
- Just like any website, C2 servers are hosted on remote systems that Lookout can identify as malicious.
- Admin Action: Enable PCP across your organization and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.
- How Lookout does it: Lookout can detect when the device is attempting to connect to a C2 server and terminate the connection. This can help prevent sensitive data exfiltration and additional malware downloads.