The Times Australia
The Times World News

.

How does the Pegasus spyware work, and is my phone at risk?

  • Written by Paul Haskell-Dowland, Associate Dean (Computing and Security), Edith Cowan University

A major journalistic investigation[1] has found evidence of malicious software being used by governments around the world, including allegations of spying on prominent individuals.

From a list of more 50,000 phone numbers[2], journalists identified more than 1,000 people in 50 countries[3] reportedly under surveillance using the Pegasus spyware. The software was developed by the Israeli company NSO Group and sold to government clients.

Among the reported targets of the spyware are journalists, politicians, government officials, chief executives and human rights activists.

An aerial view of the Al Jazeera Australia newsroom. Journalists working for Al Jazeera were reportedly among those targeted by NSO’s government clients. Al Jazeera

Reports thus far allude to a surveillance effort reminiscent of an Orwellian nightmare[4], in which the spyware can capture keystrokes, intercept communications, track the device and use the camera and microphone to spy on the user.

How did they do it?

The Pegasus spyware can infect the phones of victims through a variety of mechanisms. Some approaches may involve an SMS or iMessage that provides a link to a website. If clicked, this link delivers malicious software that compromises the device.

Others use the more concerning “zero-click[5]” attack where vulnerabilities in the iMessage service in iPhones allows for infection by simply receiving a message, and no user interaction is required.

The aim is to seize full control of the mobile device’s operating system, either by rooting (on Android devices) or jailbreaking (on Apple iOS devices).

Usually, rooting[6] on an Android device is done by the user to install applications and games from non-supported app stores, or re-enable a functionality that was disabled by the manufacturer.

Similarly, a jailbreak[7] can be deployed on Apple devices to allow the installation of apps not available on the Apple App Store, or to unlock the phone for use on alternative cellular networks. Many jailbreak approaches require the phone to be connected to a computer each time it’s turned on (referred to as a “tethered jailbreak[8]”).

Read more: Holding the world to ransom: the top 5 most dangerous criminal organisations online right now[9]

Rooting and jailbreaking both remove the security controls embedded in Android or iOS operating systems. They are typically a combination of configuration changes and a “hack” of core elements of the operating system to run modified code.

In the case of spyware, once a device is unlocked, the perpetrator can deploy further software to secure remote access to the device’s data and functions. This user is likely to remain completely unaware.

Most media reports on Pegasus relate to the compromise of Apple devices. The spyware infects Android devices too, but isn’t as effective[10] as it relies on a rooting technique that isn’t 100% reliable. When the initial infection attempt fails, the spyware supposedly prompts the user to grant relevant permissions so it can be deployed effectively.

But aren’t Apple devices more secure?

Apple devices are generally considered more secure[11] than their Android equivalents, but neither type of device is 100% secure.

Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed-system often referred to as “security by obscurity[12]”. Apple also exercises complete control over when updates are rolled out, which are then quickly adopted by users[13].

Apple devices are frequently updated to the latest iOS version via automatic patch installation. This helps improve security and also increases the value of finding a workable compromise to the latest iOS version, as the new one will be used on a large proportion of devices globally.

On the other hand, Android devices are based on open-source concepts, so hardware manufacturers can adapt the operating system[14] to add additional features or optimise performance. We typically see a large number of Android devices running a variety of versions — inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).

Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment means there is a greater chance of success at a significant scale.

While many Android devices will likely be vulnerable to compromise, the diversity of hardware and software makes it more difficult to deploy a single malicious tool to a wide user base.

How can I tell if I’m being monitored?

While the leak of more than 50,000 allegedly monitored phone numbers seems like a lot, it’s unlikely the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active.

It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.

The (relatively) easy way to determine this is to use the Amnesty International Mobile Verification Toolkit (MVT)[15]. This tool can run under either Linux or MacOS and can examine the files and configuration of your mobile device by analysing a backup taken from the phone.

While the analysis won’t confirm or disprove whether a device is compromised, it detects “indicators of compromise[16]” which can provide evidence of infection.

In particular, the tool can detect the presence of specific software (processes)[17] running on the device, as well as a range of domains[18] used as part of the global infrastructure supporting a spyware network.

What can I do to be better protected?

Unfortunately there is no current solution for the zero-click attack. There are, however, simple steps you can take to minimise your potential exposure — not only to Pegasus but to other malicious attacks too.

1) Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. And this is the same technique used by many cybercriminals[19] for both malware distribution and less technical scams. The same advice applies to links sent via email or other messaging applications.

2) Make sure your device is updated with any relevant patches and upgrades. While having a standardised version of an operating system creates a stable base for attackers to target, it’s still your best defence[20].

If you use Android, don’t rely on notifications for new versions of the operating system. Check for the latest version yourself, as your device’s manufacturer may not be providing updates[21].

3) Although it may sound obvious, you should limit physical access to your phone. Do this by enabling pin, finger or face-locking on the device. The eSafety Commissioner’s website[22] has a range of videos explaining how to configure your device securely.

4) Avoid public and free WiFi services (including hotels[23]), especially when accessing sensitive information. The use of a VPN is a good solution when you need to use such networks.

5) Encrypt your device data[24] and enable remote-wipe features[25] where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.

Correction: this article was changed to reflect reports iPhone users targeted with the Pegasus spyware seem to have been targeted specifically with zero-click attacks.

References

  1. ^ journalistic investigation (www.washingtonpost.com)
  2. ^ 50,000 phone numbers (www.amnesty.org)
  3. ^ people in 50 countries (www.smh.com.au)
  4. ^ Orwellian nightmare (books.google.com.au)
  5. ^ zero-click (9to5mac.com)
  6. ^ rooting (www.digitaltrends.com)
  7. ^ jailbreak (www.digitaltrends.com)
  8. ^ tethered jailbreak (www.diffen.com)
  9. ^ Holding the world to ransom: the top 5 most dangerous criminal organisations online right now (theconversation.com)
  10. ^ isn’t as effective (www.kaspersky.com.au)
  11. ^ generally considered more secure (us.norton.com)
  12. ^ security by obscurity (www.bcs.org)
  13. ^ adopted by users (9to5mac.com)
  14. ^ adapt the operating system (www.makeuseof.com)
  15. ^ Amnesty International Mobile Verification Toolkit (MVT) (www.amnesty.org)
  16. ^ indicators of compromise (github.com)
  17. ^ software (processes) (github.com)
  18. ^ domains (github.com)
  19. ^ many cybercriminals (link.springer.com)
  20. ^ best defence (us.norton.com)
  21. ^ may not be providing updates (www.avg.com)
  22. ^ eSafety Commissioner’s website (www.esafety.gov.au)
  23. ^ including hotels (www.techrepublic.com)
  24. ^ Encrypt your device data (spreadprivacy.com)
  25. ^ remote-wipe features (www.lifewire.com)

Read more https://theconversation.com/how-does-the-pegasus-spyware-work-and-is-my-phone-at-risk-164781

Times Magazine

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

From Beach Bops to Alpine Anthems: Your Sonos Survival Guide for a Long Weekend Escape

Alright, fellow adventurers and relaxation enthusiasts! So, you've packed your bags, charged your devices, and mentally prepared for that glorious King's Birthday long weekend. But hold on, are you really ready? Because a true long weekend warrior kn...

Effective Commercial Pest Control Solutions for a Safer Workplace

Keeping a workplace clean, safe, and free from pests is essential for maintaining productivity, protecting employee health, and upholding a company's reputation. Pests pose health risks, can cause structural damage, and can lead to serious legal an...

The Times Features

Duke of Dural to Get Rooftop Bar as New Owners Invest in Venue Upgrade

The Duke of Dural, in Sydney’s north-west, is set for a major uplift under new ownership, following its acquisition by hospitality group Good Beer Company this week. Led by resp...

Prefab’s Second Life: Why Australia’s Backyard Boom Needs a Circular Makeover

The humble granny flat is being reimagined not just as a fix for housing shortages, but as a cornerstone of circular, factory-built architecture. But are our systems ready to s...

Melbourne’s Burglary Boom: Break-Ins Surge Nearly 25%

Victorian homeowners are being warned to act now, as rising break-ins and falling arrest rates paint a worrying picture for suburban safety. Melbourne residents are facing an ...

Exploring the Curriculum at a Modern Junior School in Melbourne

Key Highlights The curriculum at junior schools emphasises whole-person development, catering to children’s physical, emotional, and intellectual needs. It ensures early year...

Distressed by all the bad news? Here’s how to stay informed but still look after yourself

If you’re feeling like the news is particularly bad at the moment, you’re not alone. But many of us can’t look away – and don’t want to. Engaging with news can help us make ...

The Role of Your GP in Creating a Chronic Disease Management Plan That Works

Living with a long-term condition, whether that is diabetes, asthma, arthritis or heart disease, means making hundreds of small decisions every day. You plan your diet against m...