Questions are being asked over the work of Israel-based cyber surveillance specialist NSO Group after the exposure of more than 50,000 phone numbers belonging to activists, journalists and other people deemed “of interest” to some of the world’s most repressive regimes that had been using its Pegasus remote access trojan (RAT).
Details of the abuse of the Pegasus spyware – which is legitimately used by law enforcement customers and counter-terrorist agencies, among others – were revealed over the weekend of 17 and 18 July in a coordinated release by multiple media outlets, including the Guardian in the UK. The newspapers obtained the list of numbers from a French non-profit media organisation Forbidden Stories and charity Amnesty International.
The data dump is said to include details of journalists at prominent media organisations including Al Jazeera, Bloomberg, CNN, the Economist, the New York Times and the Wall Street Journal, among others.
Governments alleged to have targeted their critics using Pegasus include Azerbaijan, Bahrain, the UAE, Hungary, Kazakhstan, India, Mexico, Morocco, Rwanda and Saudi Arabia.
In a lengthy statement (edited for clarity) shared with the initial reporting organisations, NSO strenuously denied the allegations contained in the stories. It said it vetted all its government customers and did not operate the systems sold to them, nor did it have access to the data they might collect.
It denied “false claims” and “uncorroborated theories” and tried to cast doubt on the motives of Forbidden Stories for investigating it.
This is not, however, the first time that questions have been raised over the Pegasus software. In 2019, WhatsApp found that Pegasus had been used to infect more than 1,000 devices with malware through a zero-day vulnerability. NSO has also been accused of exploiting vulnerabilities in Apple software to target iOS devices. Analysis by Amnesty International’s Security Lab suggests that NSO is constantly searching for new zero-days in established mobile applications.
Besides exploiting vulnerabilities, or via spear-phishing attacks on targets, Pegasus can also be installed over wireless if the target phone is in range of a specific transceiver, said Amnesty. Once present, it can exfiltrate a device’s entire contents, as well as take control of the phone’s microphone and camera and record calls.
Jakub Vavra, a mobile threat analyst at Czech security firm Avast, said he had been tracking and blocking attempts by Pegasus to breach Android devices since 2016, with a spike in activity in 2019. However, it is not commonly seen in the wild, so the risk to the average person is likely lower.
“Pegasus has little prevalence in comparison to other Android spyware. Evidently it is used as a highly targeted tool, as unlike spyware which often is spread widely to harvest masses of user data, Pegasus is used only on a few individuals, apparently, for surveillance purposes,” said Vavra.
“The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high.”
ProPrivacy’s Atila Tomaschek said that even though NSO Group claims to thoroughly vet its customers before selling Pegasus to them, when the firm’s clients include authoritarian governments with poor human rights records, it’s clear that the claim would inevitably be questioned.
“The Pegasus spyware revelations serve to show how authoritarian governments around the world have no reservations whatsoever about conducting surveillance operations on their citizens and silencing dissenting voices,” said Tomaschek.
“It’s difficult to believe that the NSO Group has been completely naive to how its clients were likely to be using its Pegasus spyware solution, or that it was fuelling such a massive offensive on human rights and civil liberties around the globe.”
Tomaschek urged governments to hold developers of legitimate monitoring applications more accountable for how their products are used: “The private spyware industry is only going to continue to grow, and its influence will intensify if this space remains as alarmingly unregulated as it is today. Tech companies need to ensure their products are safe to use in the face of increasingly sophisticated spyware that has the potential to be abused in such a widespread and frightening manner.”
Comparitech’s Brian Higgins added: “While the proprietary Pegasus software belongs to NSO Group and it does its best to control its deployment contractually, there will always be consumers who will seek to repurpose its functionality to their own ends.
“This story is still developing, but it is already apparent that the numbers of potential victims quoted do not accurately reflect the amount of malicious activity currently facilitated by this software. It is an unfortunate reality that talented developers can never totally understand the full spectrum of uses their ideas may fulfil in the future.”