Protect Yourself from Powerful Pegasus Spyware (Updated)

TL; DR:

Note from the authors: This write-up is meant to provide an overview on Pegasus, why you should be concerned, how Lookout can help protect you and what actions security admins should take. For additional information, please read our full technical report.

Lookout Customers: If you believe your organization or one of your employees have been compromised by Pegasus, please reach out to our support team immediately.

Latest developments: iPhones of U.S. diplomats hacked with Pegasus software, spyware maker NSO Group sued by Apple, Inc. and banned from Trading With U.S. 

Even five years after Lookout and Citizen Lab discovered it, advanced mobile spyware Pegasus remains highly relevant as revelation of its widespread usage and evolving capabilities — such as the ability to deliver zero-click attacks — continue to surface. 

Just recently, Apple alerted 11 U.S. diplomats working abroad that their iOS devices have been infected by the malware — the widest known attack of U.S. officials by Pegasus to date. This story was first reported by Reuters and confirmed by The Washington Post. While it’s unclear as to who launched the attack, the developer behind the spyware, Israel-based NSO Group, has been facing ramping scrutiny from government agencies and private organizations for its dealings with questionable regimes around the world.

These U.S. officials affected are reportedly based in Uganda or focused on matters concerning the country. It appears that these diplomats’ devices were compromised by the malware via a known vulnerability patched in September. These attacks are the widest known hacks of U.S. officials by NSO technology to date. 

In early November, the U.S. Commerce Department banned American corporations from conducting business with NSO. Subsequently, Apple, Inc., alleging that U.S. citizens were targeted by the spyware, becomes the latest company to sue the spyware maker, nearly a year after a group of high-profile tech firms including Microsoft, Google, Cisco and VMware joined Meta’s legal action against the group.

Earlier in 2021, in a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organizations found a high concentration of individuals from countries known to engage in surveillance. The reporting confirmed that Pegasus have been used on business executives, human rights activists, journalists, academics and government officials.These regions are also known to have been clients of the NSO Group.

All of these recent revelations illustrate that tablets and smartphones aren’t immune to cyberattacks and spyware doesn’t just target people in government organizations. Android and iOS devices are now an integral part of how we work and manage daily lives. That means cyberattackers can steal a wealth of sensitive data from these devices, including sensitive personal information and proprietary corporate data. 

We recommend you tune into our Pegasus podcast episode where Hank Schless, senior manager of security solutions, talks with Joseph Davis, Chief Security Advisory at Microsoft, about the interconnectivity between spyware and phishing. We discuss how Zero Trust and mobile security will go a long way to securing organizations from spyware or any other forms of malware.

What is Pegasus?

Once considered the most advanced mobile spyware in the world, Pegasus can be deployed on both iOS and Android devices. Since its discovery, the spyware has continued to evolve. What makes Pegasus highly sophisticated is the control it gives the malicious actor over the victim’s device, the data it can extract, and its evolution into a zero-click payload.

Pegasus can extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It can also turn on the devices’ microphone to eavesdrop on private in-room conversations or phone calls and activate the camera to record video.

For years, the NSO Group has denied that Pegasus is used by malicious actors. The firm claims that it only sells Pegasus to the intelligence and enforcement community of about 40 countries and that all prospects' human rights histories are rigorously vetted. The 2018 assassination of journalist Jamal Khashoggi raised significant doubt about this because it was widely believed that the Saudi government tracked Khashoggi by compromising his mobile phone with Pegasus.

Citizens and governments alike should be concerned

This revelation of how widely Pegasus spyware is used should alarm all citizens, not just government entities. The commercialization of spyware, similar to phishing tools, puts everyone at risk. Like what Joseph and I discussed on the podcast, yourself or your employees may not be direct targets of spyware like Pegasus, but you could be caught in the crossfire or become a pivot point for the attacker to get to their target.

Mobile devices can access the same data as a PC from anywhere. This dramatically increases the attack surface and risk for organizations because mobile devices are typically used outside the security perimeter. As pointed out by Joseph, once something like Pegasus gets onto a mobile endpoint, they have access to everything, whether it’s your Microsoft 365 or Google Workspace accounts. At that point, it doesn’t matter whether something is encrypted. The attacker sees what the user sees. This makes any executive or employee with access to sensitive data, technological research or infrastructure, a lucrative target for cybercriminals.

While mobile OS and app developers are constantly improving the security of their products, these platforms are also becoming more complex. This means there will always be room for vulnerabilities to exploit and for spyware like Pegasus to thrive.

Mobile phishing attacks remain at the root

As much as things may change, mobile phishing remains the most effective first step for cyberattackers. Just like other mobile malware, Pegasus is typically delivered to its victims through a phishing link. The most effective delivery of phishing links is with social engineering. For example, Pegasus was brought to our attention by a journalist who was sent a link from an anonymous mobile number promising tips about a human rights story they were working on.

While Pegasus has evolved to a zero-touch delivery model — meaning the victim doesn’t need to interact with the spyware for their device to be compromised — the link hosting the spyware still has to reach the device. Considering the countless iOS and Android apps that have messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or even dating apps.

How these attacks work and how Lookout can help protect you

The advanced tactics used by Pegasus are similar to many other Advanced Persistent Threats (APTs). Here is how Lookout can help protect your organization in the context of these principal tactics that APTs use to carry out an attack:

1. Payload delivery

The first step for Pegasus and any APT is usually through phishing. Lookout Phishing and Content Protection (PCP) can protect your organization against each of the following scenarios that Pegasus and other APTs use:

  • Scenario: Pegasus can be executed as a zero-click or one-click infection. Regardless of which tactic is used, the actual spyware software package payload is still loaded over the network.
  • How Lookout protects you: Lookout continuously discovers, acquires, and analyzes newly registered domains and websites to uncover those that are purpose-built for phishing and malicious purposes.  Lookout anti-phishing provides near real-time protection against zero-hour phishing attacks.
  • Lookout Admin Action: Enable Lookout PCP across your entire mobile fleet and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.

2. Vulnerability exploitation

Spyware frequently exploits vulnerabilities at both the app and device level in order to gain access to the operating system (OS) of the device or exfiltrate data from particular parts of the system.

  • Scenario: Lookout Mobile Endpoint Security (MES) detects when an app vulnerability is present on a mobile device and when the device is running an OS or Android Security Patch Level (ASPL) version with known vulnerabilities. In each case, Lookout can alert both the user and the security administrator.
  • How Lookout protects you: Lookout Mobile Vulnerability Management discovers all known Common Vulnerabilities and Exposures (CVE) for both iOS and Android at the OS and app level. It will automatically flag devices in your fleet that have any vulnerabilities present.
  • Lookout admin Action: Configure policies requiring a minimum OS or ASPL version and the updating of vulnerable apps to the latest version.

3. Device compromise

Pegasus and other APTs will silently jailbreak or root the victim’s device. Also, while zero-day exploits by their nature aren’t known, they leave the system in a compromised state. Lookout Mobile Endpoint Security can protect your organization’s mobile fleet from these exploits in the following ways:

  • Scenario: Lookout detects the indicators of device compromise and alerts device owners. Detection is based on analyzing device telemetry data, including file system data, system behavior and parameters. Depending on the details of the spyware package, such as how it operates or where it sits on the device systems, Lookout detects the traces it may produce.
  • How Lookout protects you: Lookout continuously ingests malware artifacts and telemetry from the mobile ecosystem. This feeds our machine intelligence to automatically identify malicious behavior across any device or app.
  • Lookout admin action: Ensure the default Root/Jailbreak policy is activated, set the priority to high, and set the action to alert the device and block access to the internet.

4. Communication from the payload

Similar to other malware, Pegasus will communicate with a command-and-control (C2) server from which it will take orders from the malicious actor and to which it will send exfiltrated data.

  • Scenario: Just like any website, C2 servers are hosted on remote systems that Lookout can identify as malicious.
  • How Lookout protects you: Lookout detects when the device is attempting to connect to a C2 server and terminate the connection. This can help prevent sensitive data exfiltration and additional malware downloads.
  • Lookout admin action: Enable Lookout PCP across your organization and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.

Listen in on our Endpoint Enigma podcast episode about Pegasus and spyware to hear from Microsoft Chief Security Advisory Joseph Davis on why organizations should have Zero Trust and mobile security as part of their security strategy.

To see Mobile Endpoint Security with Phishing and Content Protection in action, contact our team to schedule a demo.

Updated Dec. 2, 2021: We updated the blog to include news of Apple confirming that iPhones of 11 U.S. diplomats were compromised using Pegasus.

Lookout delivers endpoint-to-cloud Security