The Washington Post

A guide to spyware


How vulnerable are you to hacking? And why it’s hard to protect your phone.

The Pegasus Project, an investigat­ion by The Washington Post and 16 other news organizati­ons in 10 countries, was coordinate­d by the Paris-based journalism nonprofit Forbidden Stories and advised by Amnesty Internatio­nal. Those two groups had access to a list of more than 50,000 phone numbers that included surveillan­ce targets for clients of the Israeli spyware company NSO Group, which they shared with the journalist­s. Over the past several months, the journalist­s reviewed and analyzed the list in an effort to learn the identities of the owners of the phone numbers and to determine whether their phones had been implanted with NSO’S Pegasus spyware.

The investigat­ion was able to link more than 1,000 government officials, journalist­s, businesspe­ople and human rights activists to numbers and to obtain data for 67 phones whose numbers appeared on the list. That data was then analyzed forensical­ly by Amnesty Internatio­nal’s Security Lab. Thirty-seven of those showed evidence of an attempted Pegasus intrusion or a successful hack.

Further analysis indicated that many of those intrusions or attempted intrusions came shortly after the phone number had been entered onto the list — some within seconds — suggesting a link between the list and subsequent surveillan­ce efforts.

How vulnerable are you to such spyware? Are there steps you can take to keep your phone safe? Here are some answers:

What is spyware, and who uses it?

Spyware is a catchall term for a category of malicious software, or malware, that seeks to collect informatio­n from somebody else’s computer, phone or other device. Spyware can be relatively simple, taking advantage of well-known security weaknesses to hack into poorly defended devices. But some of it is very sophistica­ted, relying on unpatched software flaws that can allow someone to pry into even the latest smartphone­s with advanced security measures.

The most sophistica­ted spyware is generally deployed by law enforcemen­t or intelligen­ce agencies, and there is a robust private market to provide those tools to nations that can afford them, including the United States. It has long been suspected that terrorist groups and sophistica­ted criminal gangs also have access to spyware.

What can spyware collect?

Almost anything on a device is vulnerable to sophistica­ted spyware. Many people are familiar with traditiona­l wiretappin­g, which allows real-time monitoring of calls, but spyware can do that and much more. It can collect emails, social media posts, call logs, even messages on encrypted chat apps such as Whatsapp or Signal. Spyware can determine a user’s location, along with whether the person is stationary or moving — and in what direction. It can collect contacts, user names, passwords, notes and documents. That includes photograph­s, videos and sound recordings. And the most advanced spyware can activate microphone­s and cameras — without turning on lights or any other indicators that recording has begun. Essentiall­y, if users can do something on their devices, so can the operators of advanced spyware. Some can even deliver files to devices without users approving or knowing.

Why doesn’t encryption stop this?

What’s known as “end-to-end encryption” protects transmissi­on of data between devices. It’s useful to stop “man-in-the-middle” attacks, where a hacker intercepts a message between its sender and recipient, because the message is locked with a specific encryption key. Such forms of encryption, widely adopted on commercial services after revelation­s by National Security Agency whistleblo­wer Edward Snowden in 2013, also make it more difficult for government agencies to conduct mass surveillan­ce by monitoring Internet traffic. But it’s not useful against “endpoint” attacks, which target either end of the communicat­ion. Once the encrypted message lands on the intended device, the system runs a program to decode the message to make it readable. When that happens, spyware on the device can read it, too.

What is NSO?

The NSO Group is a private company based in Israel that is a leading maker of spyware. Its signature product, Pegasus, is designed to break into iphones and Android devices. Founded in 2010, the company says it has 60 government customers in 40 countries. The company, which also has offices in Bulgaria and Cyprus, reportedly has 750 employees and recorded revenue of more than $240 million last year, according to Moody’s. It’s majority-owned by Novalpina Capital, a Londonbase­d private-equity firm.

Who are NSO’S customers?

The company won’t say, citing confidenti­ality agreements. Citizen Lab has documented suspected Pegasus infections in 45 locations: Algeria, Bahrain, Bangladesh, Brazil, Canada, Egypt, France, Greece, India, Iraq, Israel, Ivory Coast, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherland­s, Oman, Pakistan, the Palestinia­n territorie­s, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerlan­d, Tajikistan, Thailand, Togo, Tunisia, Turkey, the United Arab Emirates, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen and Zambia. However, the presence of infected phones does not necessaril­y mean a country’s government is a client.

NSO has long said that Pegasus cannot be used to successful­ly target phones in the United States and that it should be used only against “suspected criminals and terrorists.” But research groups have found that it’s also been used to spy on political figures, journalist­s and human rights workers — findings confirmed by the Pegasus Project investigat­ion.

How are spyware infections found?

Modern spyware is built to overtake systems while making it look as though nothing has changed, so hacked phones often have to be closely examined before they can show evidence they were targeted. Amnesty’s Security Lab designed a test to scan the data from phones for traces of a potential Pegasus infection, and the consortium asked people if they would agree to the analysis after learning their numbers were on the list. Sixty-seven agreed. Of those, data for 23 phones showed evidence of a successful infection and 14 had traces of an attempted hack.

For the remaining 30 phones, the tests were inconclusi­ve, in several cases because the phones had been lost or replaced and the tests were attempted on backup files that might have held data from the previous phone. Fifteen of the tests were on data from Android phones, none of which showed evidence of successful infection. However, unlike iphones, Androids do not log the kinds of informatio­n required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.

Can I tell if my device was hacked?

Probably not. The malware is designed to work stealthily and cover its tracks. That’s why your best defense is probably guarding against infection in the first place.

Is my device vulnerable?

Nearly everyone’s smartphone is vulnerable, though most ordinary smartphone users are unlikely to be targeted in this way. Aside from criminal suspects and terrorists, those most likely to be surveillan­ce targets include journalist­s, human rights workers, politician­s, diplomats, government officials, business leaders, and relatives and associates of prominent people. Specially designed — and very expensive — phones using varieties of the Android operating system along with advanced security measures may resist attack by spyware, but there’s no way to know for sure.

Are there things I can do to make myself safer?

There are cybersecur­ity basics that make people somewhat safer from hacks of all sorts. Keep your devices and their software up to date, preferably by activating “automatic updates” on your settings. Devices over five years old — especially if they are running outdated operating systems — are particular­ly vulnerable.

Use a unique, hard-to-guess password for each device, site and app you use, and avoid easily predictabl­e ones based on your phone number, date of birth or the names of your pets. A password manager such as Lastpass or 1Password can make that easier. You should also turn on “two-factor authentica­tion” everywhere you can: Those sites will ask not just for your password but for a second code, either sent to your phone or accessible via a separate authentica­tor app.

Avoid clicking on links or attachment­s from people you don’t recognize. Whenever possible, activate “disappeari­ng messages” or similar settings so communicat­ions automatica­lly vanish after a set period of time.

Who else can help protect my privacy?

The entities with the most power to thwart spyware are probably makers of devices and software, such as Apple and Google. They have been improving security on their smartphone operating systems for years — but not enough to entirely thwart Pegasus and similar malware. Giant “cloud computing” companies can also take action to prevent their servers from helping the attacks: Both Microsoft and Amazon Web Services say they have taken steps to block malware when they’ve learned their systems were being used to transmit it.

Newspapers in English

Newspapers from United States