Gavin Wood is the Chief Technology Officer at Chess. With over 20 years in the IT industry, Gavin has a track record of driving successful business transformation through technology. An avid yachtsman, he's a massive advocate for remote working and anywhere operations.
Gavin Wood, CTO at Chess, summarises in a 3 minute read what Pegasus Spyware is and how it can hack your phone. He covers:
- Jump to What is Pegasus Spyware? >
- Jump to Pegasus Spyware in 2021 >
- Jump to How does Pegasus Spyware work? >
- Jump to How can you protect yourself from Pegasus Spyware? >
- Jump to Should you be worried about Pegasus Spyware? >
What is Pegasus Spyware?
Unlike what is usually considered malware, Pegasus is a very specific type of cyber warfare known as spyware developed by a commercial business called NSO Group.
The Pegasus software or, more accurately, the group of exploits that form Pegasus can exploit all recent iOS versions up to iOS 14.6. As of 2016, Pegasus could read text messages, track calls, collect passwords, location tracking, access the target device's microphone and camera, and harvest information from apps.
Pegasus was discovered in August 2016 after a failed installation attempt on the iPhone of Ahmed Mansoor, a human rights activist, which led to an investigation revealing details about the spyware, its abilities, and the security vulnerabilities it exploited.
Pegasus Spyware in 2021
In July 2021, an in-depth analysis by human rights group Amnesty International uncovered that Pegasus was still being widely used against high-profile targets, alongside a well-publicised leak of up to 50,000 phone numbers of potential Pegasus targets. It showed that Pegasus could infect all modern iOS versions up to iOS 14.6 through a zero-click iMessage exploit.
How does Pegasus work?
The Pegasus software can be installed in two ways. The target (and I am using the word target here very specifically) can be sent a text message / WhatsApp message with a link. If this link is clicked, then the malware is installed, similarly to other types of malware. However, Pegasus is extra special because it's been shown to use a zero-click exploit in iMessage. The user does not even need to read the message but simply receive it, and the chain of zero-day exploits allow the software to be installed.
How can you protect yourself from Pegasus Spyware?
Good cyber hygiene practices can help prevent infection from Pegasus or any other type of malware. Phishing (or Smishing) works because these attacks take advantage of human nature to generate a result. Recently, there has been an alarming rise in WhatApp fraud, tricking people into sending money to 3rd party bad actors (often claiming to be family members). This could easily be directed into clicking links and installing software.
As a rule, if you don't know the sender, or if something doesn't look right, double-check - call the contact before clicking the link or transferring those funds.
Security Threats, Tools for Protection and The Ever Changing Landscape
Mimecast & Chess Video Series
Should I be worried?
According to the excellent article by Kim Zetter, "NSO Group says Pegasus is sold only to governments and law enforcement agencies for purposes of tracking terrorists, paedophiles and other criminals. But a number of repressive regimes with poor human rights records have been caught using the tool to spy on human rights activists, journalists and anyone else who is critical of their regime." NSO themselves don't know how many installations there have been of Pegasus.
Pegasus is a nation-state cyber warfare tool designed to go undetected and track high-value targets. The costs alone in buying Pegasus and or a Zero-day exploit to be used are huge, and widespread use comes with its drawbacks. The fewer people know about the tool, the longer it will go undetected.
So, should you be worried about Pegasus?
In all reality, probably not. However, there are plenty of other threats you should consider - malware, credential-stealing software, phishing/smishing attacks. You should take preventative measures to protect your devices. A good mobile device management (MDM) platform such as Intune from Microsoft or Sophos' Mobile Security will ensure device compliance in a business environment. Regular patching and user awareness training will also play their part in keeping you and your business secure.
To learn more about how you can protect your organisation, book your free 30-minute security assessment with one of our penetration testers. Get agnostic advice from industry experts on how secure your business. Request here >
Recommended Content
Vulnerability Assessment v Penetration Test
Gavin Wood, CTO at Chess, explains the difference between Vulnerability Assessment and Penetration Testing and their applications.
Your Security Questions Answered
Dan Cooper, Security Consultant at Chess, answers three key questions every small to medium-sized business asks themselves about protecting their data.