The Washington Post
A guide to spyware
How vulnerable are you to hacking? And why it’s hard to protect your phone.
The Pegasus Project, an investigation by The Washington Post and 16 other news organizations in 10 countries, was coordinated by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty International. Those two groups had access to a list of more than 50,000 phone numbers that included surveillance targets for clients of the Israeli spyware company NSO Group, which they shared with the journalists. Over the past several months, the journalists reviewed and analyzed the list in an effort to learn the identities of the owners of the phone numbers and to determine whether their phones had been implanted with NSO’S Pegasus spyware.
The investigation was able to link more than 1,000 government officials, journalists, businesspeople and human rights activists to numbers and to obtain data for 67 phones whose numbers appeared on the list. That data was then analyzed forensically by Amnesty International’s Security Lab. Thirty-seven of those showed evidence of an attempted Pegasus intrusion or a successful hack.
Further analysis indicated that many of those intrusions or attempted intrusions came shortly after the phone number had been entered onto the list — some within seconds — suggesting a link between the list and subsequent surveillance efforts.
How vulnerable are you to such spyware? Are there steps you can take to keep your phone safe? Here are some answers:
What is spyware, and who uses it?
Spyware is a catchall term for a category of malicious software, or malware, that seeks to collect information from somebody else’s computer, phone or other device. Spyware can be relatively simple, taking advantage of well-known security weaknesses to hack into poorly defended devices. But some of it is very sophisticated, relying on unpatched software flaws that can allow someone to pry into even the latest smartphones with advanced security measures.
The most sophisticated spyware is generally deployed by law enforcement or intelligence agencies, and there is a robust private market to provide those tools to nations that can afford them, including the United States. It has long been suspected that terrorist groups and sophisticated criminal gangs also have access to spyware.
What can spyware collect?
Almost anything on a device is vulnerable to sophisticated spyware. Many people are familiar with traditional wiretapping, which allows real-time monitoring of calls, but spyware can do that and much more. It can collect emails, social media posts, call logs, even messages on encrypted chat apps such as Whatsapp or Signal. Spyware can determine a user’s location, along with whether the person is stationary or moving — and in what direction. It can collect contacts, user names, passwords, notes and documents. That includes photographs, videos and sound recordings. And the most advanced spyware can activate microphones and cameras — without turning on lights or any other indicators that recording has begun. Essentially, if users can do something on their devices, so can the operators of advanced spyware. Some can even deliver files to devices without users approving or knowing.
Why doesn’t encryption stop this?
What’s known as “end-to-end encryption” protects transmission of data between devices. It’s useful to stop “man-in-the-middle” attacks, where a hacker intercepts a message between its sender and recipient, because the message is locked with a specific encryption key. Such forms of encryption, widely adopted on commercial services after revelations by National Security Agency whistleblower Edward Snowden in 2013, also make it more difficult for government agencies to conduct mass surveillance by monitoring Internet traffic. But it’s not useful against “endpoint” attacks, which target either end of the communication. Once the encrypted message lands on the intended device, the system runs a program to decode the message to make it readable. When that happens, spyware on the device can read it, too.
What is NSO?
The NSO Group is a private company based in Israel that is a leading maker of spyware. Its signature product, Pegasus, is designed to break into iphones and Android devices. Founded in 2010, the company says it has 60 government customers in 40 countries. The company, which also has offices in Bulgaria and Cyprus, reportedly has 750 employees and recorded revenue of more than $240 million last year, according to Moody’s. It’s majority-owned by Novalpina Capital, a Londonbased private-equity firm.
Who are NSO’S customers?
The company won’t say, citing confidentiality agreements. Citizen Lab has documented suspected Pegasus infections in 45 locations: Algeria, Bahrain, Bangladesh, Brazil, Canada, Egypt, France, Greece, India, Iraq, Israel, Ivory Coast, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, the Palestinian territories, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the United Arab Emirates, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen and Zambia. However, the presence of infected phones does not necessarily mean a country’s government is a client.
NSO has long said that Pegasus cannot be used to successfully target phones in the United States and that it should be used only against “suspected criminals and terrorists.” But research groups have found that it’s also been used to spy on political figures, journalists and human rights workers — findings confirmed by the Pegasus Project investigation.
How are spyware infections found?
Modern spyware is built to overtake systems while making it look as though nothing has changed, so hacked phones often have to be closely examined before they can show evidence they were targeted. Amnesty’s Security Lab designed a test to scan the data from phones for traces of a potential Pegasus infection, and the consortium asked people if they would agree to the analysis after learning their numbers were on the list. Sixty-seven agreed. Of those, data for 23 phones showed evidence of a successful infection and 14 had traces of an attempted hack.
For the remaining 30 phones, the tests were inconclusive, in several cases because the phones had been lost or replaced and the tests were attempted on backup files that might have held data from the previous phone. Fifteen of the tests were on data from Android phones, none of which showed evidence of successful infection. However, unlike iphones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Can I tell if my device was hacked?
Probably not. The malware is designed to work stealthily and cover its tracks. That’s why your best defense is probably guarding against infection in the first place.
Is my device vulnerable?
Nearly everyone’s smartphone is vulnerable, though most ordinary smartphone users are unlikely to be targeted in this way. Aside from criminal suspects and terrorists, those most likely to be surveillance targets include journalists, human rights workers, politicians, diplomats, government officials, business leaders, and relatives and associates of prominent people. Specially designed — and very expensive — phones using varieties of the Android operating system along with advanced security measures may resist attack by spyware, but there’s no way to know for sure.
Are there things I can do to make myself safer?
There are cybersecurity basics that make people somewhat safer from hacks of all sorts. Keep your devices and their software up to date, preferably by activating “automatic updates” on your settings. Devices over five years old — especially if they are running outdated operating systems — are particularly vulnerable.
Use a unique, hard-to-guess password for each device, site and app you use, and avoid easily predictable ones based on your phone number, date of birth or the names of your pets. A password manager such as Lastpass or 1Password can make that easier. You should also turn on “two-factor authentication” everywhere you can: Those sites will ask not just for your password but for a second code, either sent to your phone or accessible via a separate authenticator app.
Avoid clicking on links or attachments from people you don’t recognize. Whenever possible, activate “disappearing messages” or similar settings so communications automatically vanish after a set period of time.
Who else can help protect my privacy?
The entities with the most power to thwart spyware are probably makers of devices and software, such as Apple and Google. They have been improving security on their smartphone operating systems for years — but not enough to entirely thwart Pegasus and similar malware. Giant “cloud computing” companies can also take action to prevent their servers from helping the attacks: Both Microsoft and Amazon Web Services say they have taken steps to block malware when they’ve learned their systems were being used to transmit it.