Skip navigation
Prison Profiteers - Header
× You have 2 more free articles available this month. Subscribe today.

Pegasus Software: State-sponsored Spyware Usage Likely Infecting Billions of Phones

by Casey J. Bastian 

Pegasus. Likely the world’s most powerful private spyware ever developed—and almost no one is aware of what it is or how likely it is to have already installed itself on your phone. Billions of people today are virtually inseparable from their phones. These devices are within reach for use in every daily experience from the most prosaic to the most private. Very few actually stop to consider that their phone might be converted into a surveillance device. Pegasus was developed by a private Israeli company called NSO Group.

The company’s spyware is marketed and licensed to governments all across the globe. NSO Group has become a billion-dollar company in the privatized government surveillance industry. The market for private surveillance, in which NSO Groups and other similar companies operate, is almost entirely unregulated. Such unrestricted operating ability allows for tools like Pegasus to be used as instruments of repression for some very undemocratic countries like Saudi Arabia, Kazakhstan, and Azerbaijan. Pegasus is capable of infecting phones whether the operating system is iOS or Android.

Literally a weapon of mass surveillance, Pegasus operates 24-hours a day, and the spyware can copy sent and received messages, gather your personal photographs, and record your calls. Pegasus can activate the phone’s camera and microphone, surreptitiously recording your intimate conversations or secretly filming your movements. It can even be used to precisely pinpoint your location, where you’ve been, and with whom you’ve met. David Kaye is a United Nations special rapporteur on freedom of expression. Until viable export controls are in place, Kaye believes there should be a moratorium on the sale of Pegasus-type spywares to governments. Kaye warned that the industry seems to be “out of control, unaccountable and unconstrained in providing governments with relatively low-cost access to the sorts of spying tools that only the most advanced state intelligence services were previously able to use.”

This is not okay. Privacy in one’s communications is a basic human right, a civil liberty, and needs to be at the core of any society that considers itself “free.” And while all people deserve privacy and should be concerned, most private citizens only need to be aware and protective of their privacy, not scared. It’s journalists and human rights and democracy activists who are most at risk as they are frequently at odds with very powerful governments. No one should be surprised that when the spyware was found on cell phones worldwide in 2016 that people were very angry. Thousands of the most at-risk people and groups had been targeted and spied upon.

The 2016 version of Pegasus was the earliest discovered version captured by researchers. That early version used text messages or emails that trick a user into clicking on a malicious link; a nefarious process called “spear-fishing.” The battle against mass surveillance is likely pitting Apple, that has over one billion active iPhones used by customers around the world, against companies like NSO Group, which develop software to defeat the phones’ sophisticated security and privacy software. In 2019, WhatsApp revealed that NSO Group software was used to install malware by exploiting a zero-day vulnerability (which is a flaw or bug in the operating system that a manufacturer either does not know about or cannot fix) on more than 1,400 phones. The Android operating systems of 15 devices were examined, and none showed a successful Pegasus infiltration. However, three of those phones did show signs of targeting through the Pegasus-linked SMS messages.

Apple’s iPhone is another matter. Apple claims that it has “the most secure consumer platform in the world.” Pegasus Project research shows that the malwares may be one step ahead. “When an iPhone is compromised, it’s done in such a way that allows the attacker to obtain so called root privileges, or administrative privileges, on the device. Pegasus can do more than what the owner can do,” said Claudio Guarnieri, of Amnesty International’s Berlin-based Security Lab. Traces of Pegasus have been found as recently as July 2021 on up-to-date iOS systems.

Experts agree that the iPhone’s most popular feature, iMessage, is also its greatest vulnerability. Apple created BlastDoor to screen suspect messages before they insert themselves deeply into the phone. “We’ve have seen Pegasus deployed through iMessage against Apple’s latest version of iOS, so it’s pretty clear that NSO can beat BlastDoor,” said Bill Marczak, a fellow at Citizen Lab, which is a cyber security analyst unit at the University of Toronto. Patrick Wardle is a former National Security Agency (“NSA”) employee and founder of Objective-see, a Mac security development company. Wardle said that, “Once an attacker is inside, they, he or she can almost leverage the device’s security against the user.”

Apple claims that software like Pegasus is “not a threat to the overwhelming majority of our users” and that the company is “adding new protections for their devices and data” constantly. Experts also believe that it is Apple’s closed culture and fear of negative press that inhibits meaningful protections being implemented; the company does not want to admit how vulnerable its users are. Apple did eventually have to acknowledge the potential Pegasus has to cause harm to its users. In a statement, Apple said: “Apple unequivocally condemns cyber-attacks against journalists, human rights activists, and others seeking to make the world a better place.”

NSO Group rejects the idea that its Pegasus spyware is a weapon used by powerful governments to chill dissenters. The company is adamant that only “carefully vetted government intelligence and law enforcement agencies” use Pegasus—and then by those carefully vetted to only “penetrate the phones of legitimate and terror group targets.” The massive data leak provided to The Guardian reveals the identities of many innocent people who were singled out as candidates for Pegasus surveillance.

“The truth is too many democratic or democratic leaning countries are facilitating the spread of this malware because they want to be able to use it against their own enemies,” according to an Electronic Frontier Foundation (“EFF”) publication. America is one such country that would rather exploit software like Pegasus for its own purposes than ensure it is not the cause of human rights abuses.

EFF has been warning about the dangers from state-sponsored malware for years. It will take international legislative and judicial cooperation to curtail this expanding abuse. It is nearly impossible for any one group, organization, or company to impose true accountability on the governments and companies responsible for such malware. And stories of malware being used against journalists and human rights defenders continue to be exposed. Some, like Jamal Khashoggi and Cecilio Pineda-Birto, have been the ultimate victims of pervasive surveillance; men murdered for their beliefs.

Without directly conducting forensic examinations on their actual phones, whether these men were successfully targeted may never be known. As their names were on the lists contained in the data leaks, it is reasonable to infer that some government group went to great lengths to spy on men it considered critics, rivals, and opponents. The data leak revealed a list of over 50,000 phone numbers. Each of these numbers represents an individual considered a “person of interest” by NSO Group government. The list of persons included business people, academics, lawyers, human rights’ defenders, religious figures, diplomats, senior government officials, and heads of state. NSO Group claims this number being indicative of persons being targeted for surveillance is “exaggerated.” The data information also includes the exact date and time any specific number was selected and placed in the system for potential Pegasus infiltration.

NSO Group claims that U.S. telephone numbers (that start with +1) are not able to be tracked with the Pegasus malware, but U.S. citizens have foreign-based phone services. So this is little consolation. Mexican reporter Carmen Aristegui’s number was on the leaked data list and her phone did contain evidence of Pegasus activity. Aristegui appears to have been targeted after the corruption scandal involving former Mexican president Enrique Pena Nieto was exposed by her reporting. The list also included her 16-year-old son’s number.

The Paris-based nonprofit journalism group Forbidden Stories along with Amnesty International first had access to the data list. Since the data leak, the information has been shared with 16 media organizations, and more than 80 journalists have worked on the Pegasus Project. This consortium does acknowledge that the data list is only indicative of intent to surveil, and the data do not reveal whether the Pegasus spyware had been uploaded to all of the phones’ operating system or even if infiltration had been attempted.

The data also revealed that a very limited number of U.S. numbers were on the list. The data lists do not indicate which NSO Group client selected the number listed. Pegasus Project identified 10 governments it believes are responsible for assembling the list: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates. NSO Group claims that Pegasus was sold to 60 clients in 40 countries but will not identify any of them.  

Evidence indicates that all 10 governments are NSO Group customers. Amnesty International conducted forensic examinations on 67 of the smartphones where Pegasus attacks were suspected. A successful infection was found in 23 of those, and 14 more showed signs of attempted intrusion. The examination on this small number of phones did reveal a tight correlation between when the number was placed on the target list and the start of Pegasus infiltration; in most cases, it took only a few seconds. The forensic analyses also revealed that NSO Group developers have expanded their search for operating system weaknesses in other apps beyond WhatsApp.

NSO Group has invested incredible time and effort to make its software extremely difficult to detect, making Pegasus intrusions very hard to recognize. “Things are becoming a lot more complicated for the targets to notice,” said Guarnieri. Adding that NSO Group clients have changed from using SMS messages to a more subtle infiltration through “zero-click” attacks. These types of attacks do not require the user to do anything once the software is on the device. The malware will simply imbed itself and begin to function.

The NSO Group lawyers claim that the Pegasus Project conclusions were based “on misleading interpretations of leaked data from accessible and overt basic information, such as HLR Lookup services ... we still do not see any correlation of these lists to anything related to use of NSO Group technologies.” HLR stands for “home location register.” This is a reference to a mobile phone operating networks’ essential database that records users, their general locations, and other identifying information that is routine in routing calls and texts. An HLR Lookup service providing access to this data as being the source of the data leaks could actually be innocuous. The data leak list examined by Pegasus Project that identified Pegasus infiltration and targeting of individuals by undemocratic governments is not.

Some Pegasus Project detractors claims this is much ado about nothing: if you have done nothing wrong, you have nothing to fear. It is pretty clear that this is not the case. Those pursuing freedom and democracy are being tracked, watched, and potentially murdered by hostile regimes, using nation-state intelligence level malware made by companies like NSO Group.

Law abiding citizens are not immune from unwarranted surveillance. Intelligence agencies and law enforcement from the “Five Eyes” allegiance of intelligence powers—Australia, Canada, New Zealand, the United Kingdom, and the United States—must support security, accountability, and redress for innocent citizens when their devices are intruded without cause. Until then, this outrageous conduct will continue. Strong communication protection is a must. Unless protections are put in place, none of us can truly be safe in this new surveillance era.  


As a digital subscriber to Criminal Legal News, you can access full text and downloads for this and other premium content.

Subscribe today

Already a subscriber? Login



The Habeas Citebook: Prosecutorial Misconduct Side
CLN Subscribe Now Ad
Prison Profiteers - Side