Click for homepage
Pegasus
Zero-click mobile phone spyware

Pegasus is spyware, developed by the Israeli cyber surveillance company NSO Group, that can be covertly installed on mobile phones and other computing devices, including those that run on iOS and Android [1]. The software was first identified by researchers in 2016 and is active to this day (2021) [2]. It is believed that it was used as early as 2013 by the United Arab Emirates (UAE) [1]. Whilst NSO Group insists that it only supplies its spyware for lawful interception, the Pegasus Project has revealed its widespread use for unlawful eavesdropping on high-profile targets [4].


Pegasus is also known as a zero-click Trojan virus, as it requires no action from the victim. Over the years, the attack vector has changed a number of times after software companies (like Google and Apple) had fixed reported security issues. The spyware is invisible to the victim and can access any part of the mobile phone, including messages, e-mails, microphone and camera. Furthermore it removes itself when it is no longer required and attempts to leave no traces. 1

In its first annual Transparency and Responsibility report, issued on 30 June 2021, NSO claims that it only licences Pegasus to select approved, verified and authorized states and state agencies [9]. NSO also states that it is closely regulated by export control authorities in the countries from which it exports its products: Israel, Bulgaria and Cyprus. 2 The Defense Export Control Agency (DECA) of the Israeli Ministry of Defense strictly restricts the licensing of some of NSO's products and conducts its own analysis of potential customers from a human rights perspective [10]. In May 2022, the European Union published an interesting and alarming report on the matter [27].

  1. In the past, Pegasus has repeatedly failed to remove all traces of its presence. This has since become (part of) the forensic NSO fingerprint.
  2. Whilst the export regulations of Israel might be 'closely regulated', those of the other two countries – Bulgaria and Cyprus – are far less restrictive.

The Pegasus Project
Investigation

The Pegasus Project is a ground-breaking investigation by more than 80 journalists from 17 media in 10 countries, into the modus operandi and the targets of NSO's Pegasus spyware. The project was coordinated by Paris-based non-profit organisation Forbidden Stories, and was technically supported by Amnesty International, involving cutting-edge forensic tests on mobile phones to detect traces of the Pegasus spyware. The results were published on 18 July 2021 [4].

Non-exhaustive overview of countries that are believed to use NSO spyware
Suspected users of Pegasus according to The Guardian and others

  • Azerbaijan
  • Bahrain
  • Djibouti
  • El Salvador
  • Estiona 2
  • Germany
  • Hungary 1
  • India
  • Israel
  • Jordan
  • Kazakhstan
  • Mexico 1
  • Morocco 1
  • Netherlands [26]
  • Panama
  • Poland 1
  • Rwanda
  • Saudi Arabia 1
  • Spain
  • Thailand
  • Togo
  • UAE 1
  • Uganda
  • Ukraine 3
  • USA (FBI) [1]
  1. Licence revoked by the Israeli Government in August 2022 after pressure from EU [28].
  2. Licence revoked by the Israeli Government in 2018 after pressure from Russia [1].
  3. Licence repeatedly refused as Russia was likely to be targeted [1].

Amnesty and Forbidden Stories started their investigation after receiving a leaked list with 50,000 potential targets of NSO's clients since 2016. According to the investigators, the governments of the countries listed above, are among the users of NSO's Pegasus spyware [12]. In the light of the revelations, NSA whistle­blower Edward Snowden called for a world-wide ban on the trade of spyware, saying that companies like NSO belong to "an industry that should not exist" [11].

On 4 November 2021, the Commerce Department of the US Government officially blacklisted NSO Group, after determining that the Isreali spyware maker has acted contrary to the foreign policy and national security interests of the US [22]. It is also seen as a slap on the wrist of the Israeli Government. A day later Lajos Kósa, chairman of the Hungarian Defense and Law Enforcement Committee, confessed to an RTL journalist that the Hungarian Ministry of the Interior had indeed procured Pagesus spyware, but stressed that it was used for lawful interception only [23].

On 2 June 2022, the Dutch newspaper De Volkskrant revealed that the Dutch General Intelligence Service (AIVD) is also amoung the users of Pagasus, at least since 2019 [26].


Apple   iOS, MacOS
Although Apple's iOS devices, such as the iPhone, are arguably more secure than those of its competitors, Canadian researchers from The Citizen Lab disclosed as early as 2016 that the iPhone had been compromised by NSO software [2]. It had been possible due to a weakness in the iPhone's operating system — iOS. This weakness has since been fixed by Apple.

Nevertheless, Amnesty International reported in July 2021 that iPhones were again under attack, after receiving a leaked list of potentional targets of NSO software (Pegasus) [4]. Together with Paris-based non-profit organisation Forbidden Stories – joined by a group of journalists from all over the world – an investigation was launched under the name The Pegasus Project [5]. It was revealed that Pagasus uses a vulnerability in iMessage, Apple's proprietary messenger application.

The Citizen Lab has since confirmed that the vulnerability – named FORCEDENTRY by them – was exploited at least since February 2021. It was discovered in a backup of the iPhone of a Saudi activist, that had been made in March 2021, involving two PDF files – disguised as GIF images – that had been sent to the phone in an unsollicited iMessage [15]. It works by causing an integer overflow in Apple's CoreGraphics library, which eventually leads to execution of malicious code.

The Citizen Lab shared the artifacts of its investigation with Apple on 7 September 2021, where it was given the designator CVE-2021-30860. On 13 September, Apple confirmed that the files included a zero-day exploit against iOS and MacOS, and promptly released a security update [16].

Apple devices were again under attack by Pegasus in September 2023, when Citizen Lab discovered a zero-click zero-day vulnerability which has been exploited in the wild. The exploit, which they named BLASTPASS, was delivered to a target phone in a maliciously crafted image as part of an iMessage. Apple registered the vulnerabilities as CVE-2023-41064 (imageIO buffer overflow) and CVE-2023-41061 (Wallet), and deployed a security fix within days [29].


Al Jazeera   The Spy in Your Phone
On 20 December 2020, the international Quatar-funded television station Al Jazeera aired a 47 minute program called The Spy in Your Phone, in which it shows exclusive footage about NSO's Pegasus spyware, and its penetration into the phones of media professionals and activists. In this case, the spyware was alledgedly used by Israel to spy on opponents and even its allies [18]. The program was an episode in the Al Jazeera 2016-2020 series The Hidden is More Immense [19].


 Watch on YouTube (English)
 Watch on YouTube (Arabic)


Suspected infections
On 18 September 2018, The Citizen Lab published a detailed report of an investigation based on newly developed internet scanning techniques. It was revealed – with a high probability – that Pagasus spyware was used to target the communications of people in at least 45 countries [13].

Suspected targets of Pegasus according to The Citizen Lab and others


  • Algeria
  • Armenia
  • Azerbaijan
  • Bagrain
  • Bangladesh
  • Belgium
  • Brazil
  • Canada
  • Côte d'Ivoire
  • Djibouti
  • Egypt
  • El Salvador
  • European Union
  • Finland
  • France
  • Greece
  • Hong Kong
  • India
  • Iraq
  • Israel
  • Jordan
  • Kazakhstan
  • Kenya
  • Kuwait
  • Kyrgyzstan
  • Latvia
  • Lebanon
  • Libya
  • Mexico
  • Morocco
  • Netherlands
  • Pakistan
  • Palestine
  • Panama
  • Palestine
  • Poland
  • Qatar
  • Rwanda
  • Saudi Arabia
  • Singapore
  • South Africa
  • Switzerland
  • Tadjikistan
  • Thailand
  • Togo
  • Tunesia
  • Türkiye
  • UAE
  • Uganda
  • Uzbekistan
  • UK
  • USA
  • Yemen
  • Zambia
European Union
In March 2022, a special commission of the European Union (PEGA) started an investigation into the use of Pegasus (and similar spyware from other companies) within the European Union. In May 2022 an in-depth analysis was published, whilst the investigation was ongoing [27].

In August 2022, the Israeli newspaper Haaretz revealed that the Israeli Goverment had restricted the list of countries that are allowed to use Pegasus, to just 37. Until then, 102 countries had been on this list. At the same time, the licences of countries who had previously used Pegasus but were no longer on the list, were revoked. Amoung the countries of which the licences were revoked, were Poland, Hungary, Mexico, Saudi-Arabia and the United Arab Emirates (UAE) [28].

NSO Group confirmed to the PEGA commission, that it works with 22 security, intelligence and law-enforcment agencies in 12 European countries. On the new list of allowed countries are 25 European countries 1 plus the United States, Canada, Iceland, Norway, Switzerland, Australia, India, Japan, New-Zealand and Sounth-Korea 2 [28].

  1. All European countries except Poland and Hungary.
  2. The fact that these countries are on the 'allowed' list does not imply that they are using Pegasus.

Codewords
BLASTPASS   Citizen Lab codeword for the zero-day iPhone vulnerabilities CVE-2023-41064 and CVE-2023-41061, exploited by Pegasus and discovered in September 2023.
CASCADEFAIL   Citizen Lab codeword for a specific forensic artifact – actually a bug – that attributes spyware to NSO with great certainty. It is based on NSO's faillure to remove specific traces of it presence.
FORCEDENTRY   Citizen Lab codeword for a zero-click exploit in iMessage that uses a weakness in Apple's CoreGraphics library. First seen in February 2021 and fixed by Apple on 13 September 2021.
HIPPOCRENE FACTOR   Citizen Lab codeword for a specific forensic artifact that reveals the (former) presence of Pegasus spyware on an iPhone with high confidence. Technical details of this artifact have not been disclosed at this time (30 October 2021).
KINGDOM   Citizen Lab codeword for Saudi Arabia.
KISMET   Citizen Lab codeword for a zero-click exploit in iMessage against at least iOS 13.5.1. At least 36 personal phones beloning to journalists, producers, anchors and executive at Al Jazeera were affected. Also known as The Great iPwn [17].
MONARCHY   Citizen Lab codeword for a specific Pegasus operator, which is probably Saudi Arabia.
PEARL   Citizen Lab codeword for Bahrain.
SNEAKY KESTREL   Citizen Lab codeword for a specific Pegasus operator, which is probably the United Arab Emirates (UAE).
References
  1. Wikipedia, Pegasus (spyware)
    Retrieved July 2021.

  2. The Citizen Lab, The Million Dollar Disident
    NSO Group's iPhone Zero-Days used against a AUE Human RIghts Defender.
    24 August 2016.

  3. Amnesty International, Amnesty International among targets of NSO-powered campaign
    1 August 2018. Updated 1 October 2018.

  4. Amnesty International, Massive data leak reveals NSO Group's spyware used to target activists, journalists and political leaders globally
    18 July 2021.

  5. Amnesty International, Forensic Methodology Report: How to catch NSO Group's Pegasus
    18 July 2021.

  6. Amnesty International, Pegasus Project: Apple iPhones compromised by NSO spyware
    19 July 2021.

  7. Amnesty International, Amnesty categorically stands by Pegasus Project data set
    22 July 2021.

  8. Wikipedia, Pegasus Project (investigation)
    Retrieved July 2021.

  9. NSO Group, Transparency and Responsibility Report 2021
    30 June 2021. Retrieved July 2021. Page 8.

  10. NSO Group, Transparency and Responsibility Report 2021
    30 June 2021. Retrieved July 2021. Page 4.

  11. David Pegg and Paul Lewis,
    Edward Snowden calls for spyware trade band amid Pegasus revelations

    The Guardian, 19 July 2021.

  12. Stephanie Kirchgaessner, Paul Lewis, David Pegg, Sam Cutler, Nina Lakhani and Michael safi, Revealed: leak uncovers global abuse of cyber-surveillance weapon
    The Guardian, 18 July 2021.

  13. Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak and Ron Deibert, Hide and Seek — Tracking NSO Group's Pegasus Spyware to Operations in 45 Countries
    The Citizen Lab, 18 September 2018.

  14. Lizzie O'Leary, Behind the Mercenary Spyware Industry
    Interview with Citizen Lab's John Scrott-Railton. Slate (website), 26 July 2021.

  15. FORCEDENTRY, NSO Group iMessage Zero-Click Exploit Captured in the Wild
    Bill Marczak, John Scott-Railton, Bahr Abdul Razzak, Noura Al-Jizawi, Siena Anstis, Kristen Berdan and Ron Deibert. 13 September 2021.

  16. Apple, About the security content of Security Update 2021-005 Catalina
    13 September 2021.

  17. The Citizen Lab, The Great iPwn
    Bill Marczak, John Scott-Railton, Noura Al-Jizawi, Siena Anstis and Ron Deibert.
    20 December 2020.

  18. Al Jazeera, The Spy in Your Phone
    Via YouTube (English), 20 December 2021.
     Arabic version

  19. Wikipedia, The Hidden is More Immense
    Retrieved September 2021.

  20. The Citizen Lab, Breaking the News
    New YorkTimes Journalist Ben Hubbard hacked with Pegasus after Reporting on Previous Hacking Attempts. Bill Marczak, John Scott-Railton, Siena Anstis, Bahr Abdul Razzak and Ron Deibert. 24 October 2021.

  21. Drew Harwell et al., Biden administration blacklists NSO Group over Pegasus spyware
    The Washington Post, 3 November 2021.

  22. Stephanie Kirchgaessner, Israeli spyware company NSO Group placed on US blacklist
    The Guardian, 3 November 2021.

  23. Belföld, Kósa Lajos admits that the Ministry of the Interior bough Pegasus spyware
    Telex, 4 November 2021. In Hungarian language.

  24. Camile Gijs, Spanish PM Pedro Sánchez had phone hacked with Pegasus spyware
    Politico, 2 May 2022, 11:06.

  25. Vincent Manancourt, Hack of Spanish PM's phone deepens Europe's spyware crisis
    Politico, 2 May 2022, 18:20.

  26. Huib Modderkolk, AIVD gebruikt omstreden Israëlische hacksoftware
    AIVD uses controversial Israeli hacking software.
    De Volkskrant, 2 June 2022 (in Dutch).

  27. European Union, Pegasus and surveillance spyware
    In-depth analysis for the PEGASUS committee. Policy Department for Citizens' Rights and Constitutional Affairs, Directorate-General for Internal Policies. PE 732.268, May 2022.

  28. Marokko van lijst landen die Pegasus mogen gebruiken gehaald
    Morocco removed from list of countries allowed to use Pegasus.
    bladna.nl, 13 August 2022 (in Dutch).

  29. Richard Speed, Apple races to patch the latest zero-day iPhone exploit
    The Register, 8 September 2023.
Further information
Any links shown in red are currently unavailable. If you like the information on this website, why not make a donation?
Crypto Museum. Created: Monday 26 July 2021. Last changed: Monday, 11 September 2023 - 10:41 CET.
Click for homepage