An activist in the Middle East in August of this year noticed odd text messages coming to his phone. It turns out that those were instructions coming from the command and control center for Pegasus Spyware telling the Spyware what actions to take.
State-level Hackers for Hire
NSO Group is an Israeli firm that wrote Pegasus. It affects iOS up to version 9.3.5. Pegasus lets whoever is using it bypass iOS security and gain access to virtually all data on the phone including audio, video, contacts, GPS location, passwords, Wi-Fi router password, text messages, and messages and email from from Gmail, Facebook, Skype, WhatsApp, and other programs.
Pegasus is Spyware that NSO Groups sells to governments and anyone else who can pay $25,000 to deploy it to one victim’s phone. One organization bought 300 licenses for $8 million. It is not clear how someone found that out. Yet NGO has a LinkedIn page.
How to Detect and Get Rid of It
So far mobile device management and antivirus software cannot detect Pegasus.
One disables iOS updates. So to get rid of it you would need to wipe your phone. There is no indication that your phone is hacked except suspicious text messages that look like two-factor authentication codes coming from Google, Facebook, and others. Or you could connect your phone to a Mac and look for the different files listed in Appendix B of the Lookout report.
The average person is not going to know how to look for hidden system files. So if you can you should just erase your phone and assume you have been hacked. But at $25,000 per victim unless you are a celebrity, criminal, or activist you probably have not. Still you should erase your phone completely anyway every so often. That will both make it work faster and remove any hacks that are there.
Zero Day Exploits
Pegasus exploits these zero-day vulnerabilities:
CVE-2016-4657: weakness in Safari that lets attacker execute code, meaning direct the iPhone to run the code the hacker wants.
CVE-2016-4655: lets hacker find the address of the kernel in memory. Operating systems put that in random places to defeat hackers. Hackers need to know where subroutines are located in memory so they can exploit them.
CVE-2016-4656: lets hackers jailbreak the device, meaning gain root access. Then they can turn off security features and install software.
How it Works
Having exploited the browser, the Spyware then downloads a zipped file and does the following.
● Install a root TLS certificate. That would cause iOS to trust data encrypted by the hacker.
● Adds a subroutine that lets Pegasus inject code into a running process. So, for example, they can then run undetected in the memory occupied by WhatsApp or other program and operate from there. This part used code freely available on the internet called Cydia Mobile Substrate.
● Installed sniffers for Viber, WhatsApp, and other programs. A sniffer is software that listens to and records traffic.
● Install a process (daemon) to send files to the hackers Command and Control center.
● Mounts its own system partition, meaning boot up instructions, bypassing what Apple wrote.
● Turns off the phone’s Deep Sleep mechanism.
● Removes any other jailbreak software.
● Installs a self-destruct feature, to erase any traces of itself as needed.