| Executives July 20, 2021


July 20, 2021

Protect Yourself from Powerful Pegasus Spyware

By Hank Schless

Note from the author: This write-up is meant to provide an overview on Pegasus, why you should be concerned, how Lookout can help protect you and what actions security admins should take. For additional information, please read our full technical report.

Lookout Customers: If you believe your organization or one of your employees has been compromised by Pegasus, please reach out to our support team immediately. 

Updated Aug. 6, 2021: Microsoft Chief Security Advisory Joseph Davis joined us on Endpoint Enigma to discuss Pegasus, why social engineering and spyware are closely connected and how organizations need to ensure mobile security and Zero Trust are key components of their security strategy.

Revelation of potential Pegasus targets 

First uncovered by Lookout and Citizen Lab in 2016, the highly advanced mobile spyware Pegasus was confirmed in July 2021 to have been used on business executives, human rights activists, journalists, academics and government officials.

In a joint investigation into a leaked list of more than 50,000 phone numbers, 17 media organizations found a high concentration of individuals from countries known to engage in surveillance. These regions are also known to have been clients of the NSO Group, an Israeli-based company behind the development of Pegasus and a known leader in the unregulated spyware industry.

Even if your phone number isn’t on the list, this revelation illustrates that tablets and smartphones aren’t immune to cyberattacks and spyware doesn’t just target people in government organizations. Android and iOS devices are now an integral part of how we work and manage daily lives. That means cyberattackers can steal a wealth of sensitive data from these devices, including sensitive personal information and proprietary corporate data. 

I recommend you tune into our Pegasus podcast episode where I talk with Joseph Davis, Chief Security Advisory at Microsoft, about the interconnectivity between spyware and phishing. We discuss how Zero Trust and mobile security will go a long way to securing organizations from spyware or any other forms of malware.

What is Pegasus?

Once considered the most advanced mobile spyware in the world, Pegasus can be deployed on both iOS and Android devices. Since its discovery, the spyware has continued to evolve. What makes Pegasus highly sophisticated is the control it gives the malicious actor over the victim’s device, the data it can extract, and its evolution into a zero-click payload. 

Pegasus can extract highly accurate GPS coordinates, photos, email files and encrypted messages from apps such as WhatsApp and Signal. It can also turn on the devices’ microphone to eavesdrop on private in-room conversations or phone calls and activate the camera to record video.

For years, the NSO Group has denied that Pegasus is used by malicious actors. The firm claims that it only sells Pegasus to the intelligence and enforcement community of about 40 countries and that all prospects' human rights histories are rigorously vetted. The 2018 assassination of journalist Jamal Khashoggi raised significant doubt about this because it was widely believed that the Saudi government tracked Khashoggi by compromising his mobile phone with Pegasus. 

Citizens and governments alike should be concerned

This revelation of how widely Pegasus spyware is used should alarm all citizens, not just government entities. The commercialization of spyware, similar to phishing tools, puts everyone at risk. Like what Joseph and I discussed on the podcast, yourself or your employees may not be direct targets of spyware like Pegasus, but you could be caught in the crossfire or become a pivot point for the attacker to get to their target.

Mobile devices can access the same data as a PC from anywhere. This dramatically increases the attack surface and risk for organizations because mobile devices are typically used outside the security perimeter. As pointed out by Joseph, once something like Pegasus gets onto a mobile endpoint, they have access to everything, whether it’s your Microsoft 365 or Google Workspace accounts. At that point, it doesn’t matter whether something is encrypted. The attacker sees what the user sees. This makes any executive or employee with access to sensitive data, technological research or infrastructure, a lucrative target for cybercriminals. 

While mobile OS and app developers are constantly improving the security of their products, these platforms are also becoming more complex. This means there will always be room for vulnerabilities to exploit and for spyware like Pegasus to thrive.

Mobile phishing attacks remain at the root

As much as things may change, mobile phishing remains the most effective first step for cyberattackers. Just like other mobile malware, Pegasus is typically delivered to its victims through a phishing link. The most effective delivery of phishing links is with social engineering. For example, Pegasus was brought to our attention by a journalist who was sent a link from an anonymous mobile number promising tips about a human rights story they were working on. 

While Pegasus has evolved to a zero-touch delivery model — meaning the victim doesn’t need to interact with the spyware for their device to be compromised — the link hosting the spyware still has to reach the device. Considering the countless iOS and Android apps that have messaging functionality, this could be done through SMS, email, social media, third-party messaging, gaming or even dating apps. 

How these attacks work and how Lookout can help protect you

The advanced tactics used by Pegasus are similar to many other Advanced Persistent Threats (APTs). Here is how Lookout can help protect your organization in the context of these principal tactics that APTs use to carry out an attack:

1. Payload delivery

The first step for Pegasus and any APT is usually through phishing. Lookout Phishing and Content Protection (PCP) can protect your organization against each of the following scenarios that Pegasus and other APTs use: 

  • Pegasus can be executed as a zero-click or one-click infection. Regardless of which tactic is used, the actual spyware software package payload is still loaded over the network. 
  • Admin Action : Enable PCP across your entire mobile fleet and activate the default policy that requires users to enable it on their device in order to access the internet and company resources.
  • How we do it: Lookout continuously discovers, acquires, and analyzes newly registered domains and websites to uncover those that are purpose-built for phishing and malicious purposes.  Lookout Phishing and Content Protection enables us to provide near real-time protection against zero-hour phishing attacks.

2. Vulnerability exploitation

Spyware frequently exploits vulnerabilities at both the app and device level in order to gain access to the OS of the device or exfiltrate data from particular parts of the system.

  • The Lookout app can detect when an app vulnerability is present on the end-user device and when the device is running an OS or Android Security Patch Level (ASPL) version with known vulnerabilities. In each case, Lookout can alert both the user and the admin. 
  • Admin Action : Enable a required minimum OS or ASPL version policy and the vulnerable app version policy. Require users to update their device and apps to the latest versions if they want to be granted access to company resources. How we do it: Lookout Mobile Vulnerability Management discovers all known Common Vulnerabilities and Exposures (CVE) for both iOS and Android at the OS and app level. It will automatically flag devices in your fleet that have any vulnerabilities present. 

3. Device compromise

Pegasus and other APTs will silently jailbreak or root the victim’s device. Also, while zero-day exploits by their nature aren’t known, they leave the system in a compromised state. Lookout Mobile Endpoint Security can protect your organization’s mobile fleet from these exploits in the following ways:

  • The Lookout app can detect the indicators of device compromise and alert users. Detection is based on a wide variety of data including file system data, system behavior and parameters.
  • Depending on the details of the spyware package, such as how it operates or where it sits on the device systems, it may produce traces that the Lookout detection code can identify.
  • Admin action: Ensure the default Root/Jailbreak policy is activated, set the priority to high, and set the action to alert the device and block access to the internet.
  • How we do it: Lookoutcontinuouslyingests malware artifacts and telemetry from the mobile ecosystem. This feeds our machine intelligence to automatically identify malicious behavior across any device or app.

4. Communication from the payload

Similar to other malware, Pegasus will communicate with a command-and-control (C2) server from which it will take orders from the malicious actor and to which it will send exfiltrated data. 

  • Just like any website, C2 servers are hosted on remote systems that Lookout can identify as malicious.
  • Admin action: Enable PCP across your organization and activate the default policy that requires users to enable it on their device in order to access the internet and company resources. 
  • How we do it: Lookout can detect when the device is attempting to connect to a C2 server and terminate the connection. This can help prevent sensitive data exfiltration and additional malware downloads. 

Listen in on our Endpoint Enigma podcast episode about Pegasus and spyware to hear from Microsoft Chief Security Advisory Joseph Davis on why organizations should have Zero Trust and mobile security as part of their security strategy. 

To see Mobile Endpoint Security with Phishing and Content Protection in action, contact our team to schedule a demo.

This blog was originally published on blog.lookout.com.

Find out how you can secure your smartphones and tablets today

Request A Demo call_made

Free Trial call_made

Contact Sales call_made


Author

Hank Schless,
Senior Manager, Security Solutions