July 28, 2021 by Ratnesh Shinde
In the good old times, the conventional thinking was that if you didn’t want spyware or malware to infiltrate your phone or computer, you shouldn’t click on suspicious links. The common thinking is thrown out the window with the introduction of Pegasus, spyware developed by the Israeli organization NSO Group.
With spyware like Pegasus, nearly everyone, no matter how cautious they are, has the potential to be infected with and monitored by the programme.
In fact, Israel considers it to be a cyber weapon since it is so strong and stealthy that it can infect phones using zero-click methods. The user is not even aware that they have been infected by the virus.
Previously, the most effective method of installing spyware on someone’s phone was to trick them into clicking on a link.
For example, the targeted person may receive a shady message or email in which they are instructed to click on a hyperlink. For example, “click on this link to see the latest stock market prices” may be written in the text.
Alternatively, there might have been a way in which the user would be requested to download anything from an infected website, such as “install this plug-in” to see the video or read the article, etc.
All of these techniques were based on the assumption that users would make a mistake. Or that they would be careless enough to click on a link that was provided. Even Pegasus made use of these techniques.
In 2016, when an activist in the Middle East received a message urging him to click on a link, he instantly became suspicious of the message.
As a result, he transmitted the communication to Citizen Lab, a Canadian research organisation. It was discovered that the message did indeed originate from the Pegasus system and that it was an effort to hack into the activist’s iPhone.
However, as soon as these techniques were brought to public attention, NSO Group altered the game. According to recent discoveries by Amnesty International, Pegasus is now capable of infecting an iPhone or an Android device using zero-click techniques.
To put it another way, it doesn’t even require the user to do anything before Pegasus can enter a phone. It may be transmitted as easily as a missed WhatsApp call. WhatsApp fixed the bug in January of this year.
As a result, Pegasus now communicates with humans using iMessage. Pegasus is downloaded into the user’s phone even if they do not read the email that comes in their inbox.
The possibilities are terrifying. Now, all that is required to target someone is a phone number that works on a smartphone, which can be obtained from an agency such as NSO or its clients.
People will find it virtually hard to avoid malware such as Pegasus if they use the zero-click method. A government agency employing the services of an organisation like Pegasus is chasing your phone and you have nothing you can do to stop them.
The only solution is to keep changing the phone and number, over and over again, until the number gets leaked into the public domain. And it, too, is a temporary solution. Although this technique may be effective in avoiding something as powerful as a government body that utilises NSO Group tools and infrastructure, there is no assurance that it is effective.
It has become more difficult to distinguish between privacy and surveillance now that the stakes have been raised, and monitoring has gained the upper hand.
This is why both Amnesty International and Edward Snowden, who has firsthand experience with Pegasus-like tools through his work with the National Security Agency in the United States, are pushing for a ban on the sale and dissemination of cyber weapons.
Otherwise, it would be difficult to eradicate security flaws that spyware like Pegasus exploit, and given since they don’t even require any human input before they can begin eavesdropping on the phone, there would be no practical method to prevent them from doing so.