How does Pegasus spyware work, and is my phone at risk?
A major journalistic investigation has found evidence of malicious software being used by governments around the world. From a list of more 50,000 phone numbers, journalists identified more than 1,000 people in 50 countries reportedly under surveillance using the Pegasus spyware. The software was developed by the Israeli company NSO Group and sold to government clients.
How did they do it?
There's nothing particularly complicated about how the Pegasus spyware infects the phones of victims. The initial hack involves a crafted SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device. The aim is to seize full control of the mobile device's operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices).
Usually, rooting on an Android device is done by the user to install applications and games from nonsupported app stores, or reenable a functionality that was disabled by the manufacturer. Similarly, a jailbreak can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks.
Many jailbreak approaches require the phone to be connected to a computer each time it's turned on (referred to as a tethered jailbreak). Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems.
Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but isn't as effective as it relies on a rooting technique that isn't 100 per cent reliable.
How can I tell if I'm being monitored?
It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.
The (relatively) easy way to determine this is to use the Amnesty International Mobile Verification Toolkit (MVT). This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analysing a backup taken from the phone.
While the analysis won't confirm or disprove if a device is compromised, it detects indicators of compromise which can provide evidence of infection.
What can I do to be better protected?
Although most people are unlikely to be targeted by this type of attack, there are still simple steps you can take to minimise your exposure not only to Pegasus but to other malicious attacks too.
Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. This is the same technique used by many cybercriminals for both malware distribution and less technical scams. The same applies to links sent via email or other messaging applications.
Make sure your device is updated with any relevant patches and upgrades. If you use Android, don’t wait for notifications for new versions of the operating system. Check for the latest version yourself, as your device manufacturer may not be providing updates.
Limit physical access to your phone by enabling pin, finger or face-locking on the device. The eSafety Commissioner's website has a range of videos explaining how to configure your device securely.
Avoid public and free WiFi services, including hotels.