Vastly used by intelligence agencies, Pegasus spyware is a type of malware that affects targeted individuals' computing devices.
It’s one of the most sophisticated tools for online surveillance ever developed which essentially spies on the targeted individual’s device by extracting their user data.
Since its first revelation by Citizen Lab in 2016, NSO Group has significantly improved its proprietary Pegasus spyware. Notably, It has gravely expanded its capabilities to target iOS devices more effectively.
This advancement also enabled the extraction of Apple photos and iMessage communications.
Statista says a 2023 report revealed that around 45% of the Pegasus spyware users worldwide were intelligence agencies. The spyware developed by the Israeli technology company NSO is one of the most sophisticated tools for online surveillance ever created.
According to the transparency report published by the company, about 46% of its users were reportedly law enforcement entities, while 9% were military services.
This article tells you everything you need to know about the Pegasus Spyware, what it is, can it be detected, if it's legal, the Pegasus controversy and how to remove it.
What is Pegasus Spyware?
Pegasus spyware is a powerful software that is covertly installed in computing devices running on both Android and iOS to spy on the device user. This software is known to exploit zero-day vulnerabilities, a type of security flaw in software or hardware that is unknown to the vendor and for which no patch or fix is available.
It was first developed in 2010 by an Israeli cyber-intelligence company known as NSO Group in an aim to provide support to authorised governmental agencies in combating terrorism and crime.
Once installed, it can collect a vast amount of personal data from the infected device without the user's knowledge or consent. The personal data collected without seeking consent from the user includes messages, contacts and location data.
In addition to textual communication, the software can also extract recordings from the device’s microphone and camera. It also automatically turns on the camera and the user may not even realise it.
Also Read: Serbian Officials Plant Spyware in Mobiles To Spy on Journalists
Can Pegasus Spyware Be Detected?
Pegasus spyware can be detected including its advanced versions. Security organisations have developed methods to spot malicious spyware like Citizen Labs and Kaspersky.
For instance, Kaspersky’s global research and analysis Team (GReAT) devised a lightweight method to detect indicators of infection from sophisticated iOS spyware such as Pegasus, Reign, and Predator through analysing Shutdown.log, a previously unexplored forensic artefact.
According to Kaspersky, Pegasus infections leave traces in the unexpected system log, Shutdown.log, stored within any mobile iOS device’s sysdiagnose archive. This archive retains information from each reboot session, meaning anomalies associated with the Pegasus malware become apparent in the log if an infected user reboots their device.
The Amnesty International forensic methodology report on “How to catch NSO Group’s Pegasus” published in June 2021 revealed that Pegasus tends to leave forensic traces on iOS and Android devices. This includes network injection attacks, suspicious processes, and zero-click exploits.
The international NGO believes that by analysing such traces, security researchers and civil society should be able to detect and respond to Pegasus infections.
Overall, if you’re in doubt about being spied in, best to approach a cybersecurity expert. This is especially true if you observe unusual connections to suspicious IP addresses or domains associated with NSO Group or spot any unusual background activity on your computing device even unexpected application updates.
Also Read: Sextortion Scam Uses Photos of Your Home from Google Maps
Is Pegasus Spyware Legal?
While there have been legal actions taken against NSO Group, the proprietary owner of Pegasus spyware and their use of Pegasus, it has not been outright banned. However, many countries have imposed restrictions on its use and export.
Additionally, the legality of Pegasus depends on how it’s used. Although NSO Group claims to sell Pegasus software to only authorised government agencies, many instances of misuse have been discovered especially against journalists, activists, and political opponents.
Amnesty International alluded to a legal action dating back to March 2024 taken in US court. The court ordered NSO Group to disclose documents and code related to Pegasus spyware to WhatsApp. Google and Microsoft have also intervened in a US legal case against NSO Group.
Also Read: Google Calendar Cyberattack Risks Corporate Security in Phishing Scam
What Antivirus Detects Pegasus Spyware?
There are multiple antivirus software designed to detect Pegasus spyware. Some of them are:
1. Bitdefender
Bitdefender says that its antivirus solution defends against the latest Pegasus versions especially those designed to hack iPhones with iOS versions. The organisation’s anti-malware engines identified the first form of Pegasus spyware back in 2017. Over the years, Bitdefender’s anti-malware signatures have been constantly updated to keep up with new forms of Pegasus spyware.
2. Microsoft Defender Antivirus
Specially designed to defend Windows and Android systems, Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artefacts.
For end-users, it recommends avoiding password reuse between accounts and using multi-factor authentication (MFA). For enterprises, it suggests following a checklist which highlights switching on cloud protection services, running EDR in block mode, and a lot more.
3. Avast One
Avast One has managed to track and block several attempts by Pegasus spyware to infiltrate Android phones in 2019. Jakub Vavra, a Mobile Threat Analyst at Avast said that Avast blocks Pegasus like any other spyware.
“Pegasus is used only on a few individuals, apparently, for surveillance purposes. The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high. Pegasus can monitor a variety of popular messengers and email providers such as Facebook, WhatsApp, Gmail, Telegram and others.”
Pegasus Spyware Controversy
The Pegasus Project triggered a controversy associated with human rights infringements on journalists, activists, politicians, and other individuals who have been victims of unauthorised covert operations using this powerful surveillance tool.
As part of this project, 80 journalists from 17 media outlets across 10 countries collaborated to conduct an investigative report. They were coordinated by Forbidden Stories, a Paris-based media non-profit, in partnership with Amnesty International’s Security Lab. Forensic tests were carried out on mobile phones that were likely targeted by Pegasus. The findings confirmed several new cases of Pegasus spyware attacks.
According to Amnesty International, NSO Groups’ spyware targeted 50,000 phone numbers for surveillance. The forensic analysis found traces of NSO’s “zero-click” attacks (malware infections that require no interaction with the target). Apparently, these new attacks were linked to previously documented attacks on human rights defenders (HRDs) using NSO Group software.
When evidence emerged that a supposedly legitimate spyware software was being misused once again, authorities including the United Nations and the European Council expressed their concerns. This raised serious concerns about privacy, freedom of expression, and the potential for abuse of power.
How to Remove Pegasus Spyware?
Sadly, there’s no guaranteed way to remove Pegasus spyware from your devices once it has been infected. However, some antivirus software can help with the process. For instance, Amnesty International developed a tool called called Mobile Verification Toolkit (MVT).
MVT runs analysis on iOS backups as well as Android devices to spot traces of compromise. Essentially, MVT carries out certain processes to decrypt devices including the following:
- Decrypt encrypted iOS backups.
- Process and parse records from numerous iOS system and apps databases and system logs.
- Extract installed applications from Android devices.
- Extract diagnostic information from Android devices through the adb protocol.
- Compare extracted records to a provided list of malicious indicators in STIX2 format. Automatically identify malicious SMS messages, visited websites, malicious processes, and more.
- Generate JSON logs of extracted records, and separate JSON logs of all detected malicious traces.
- Generate a unified chronological timeline of extracted records, along with a timeline all detected malicious traces.
