Counterview Desk
Following the exposure that Israeli spyware Pegasus, manufactured by NSO Group, has been used as a surveillance tool on smartphones used by about 1,500 human rights defenders (HRDs), journalists and activists, including in India, the top rights body, Amnesty International India, has appealed to those who have received a notification immediately to get in touch with Amnesty Tech at share@amnesty.tech for support.
Following the exposure that Israeli spyware Pegasus, manufactured by NSO Group, has been used as a surveillance tool on smartphones used by about 1,500 human rights defenders (HRDs), journalists and activists, including in India, the top rights body, Amnesty International India, has appealed to those who have received a notification immediately to get in touch with Amnesty Tech at share@amnesty.tech for support.
Meanwhile, Amnesty has put out questions and answers for HRDs,
activist, or journalist based in India to understand NSO Group’s spyware Pegasus
especially the WhatsApp targeting.
Text:
Q: What do we know about the NSO Group and its ‘Pegasus’
Spyware?
A: ‘NSO Group’ is an Israeli spyware manufacturer that claims to
sell its surveillance tools – the most well-known being its Pegasus spyware –
exclusively to governments and government agencies ‘to combat terror and
crime’.
Its products have been misused multiple times to conduct
unlawful surveillance against human rights defenders. In the past, it has been
used to target an Amnesty International staff member, HRDs, activists, and
journalists from Saudi Arabia, UAE, Mexico, Morocco, and Rwanda.
Q: How does Pegasus work?
A: If infected by the Pegasus spyware, the user’s Smartphone
is compromised. It can track keystrokes, take control of the phone’s camera and
microphone, and access contact lists and encrypted messages.
Until now, Pegasus is known to be delivered through SMS
messages carrying malicious links and through exploiting a zero-day
vulnerability on WhatsApp. In the latter, intrusive spyware could be delivered
on to the target’s mobile device without the targeted person having to click on
a malicious link. The targeted person would simply see a missed call on
WhatsApp.
In addition to this, Amnesty International has also
found evidence of
network injection attacks that could also be attributed to NSO Group. Network
injection attacks are generally called “man-in-the-middle” attacks. Through
this, an attacker with access to a target’s mobile network connection can
monitor and opportunistically hijack web traffic and silently re-route the web
browser to malicious exploit pages.
Q: How did the targeting via WhatsApp work?
A: NSO Group exploited a security vulnerability in WhatsApp
until May 2019. In order to exploit this, the digital attack initiated WhatsApp
calls to the target’s device. Attackers may have tried to exploit this issue by
making calls multiple times during the night when the target was likely to be
asleep and not notice these calls. Successful infection of the target’s device
may result in the app crashing. There is a possibility that the attacker may
also remotely erase evidence of these calls from the device’s call logs.
Evidence of failed attacks may appear as missed calls from unknown numbers in
your WhatsApp call log.
Q: If I didn’t receive a notification from WhatsApp, does
this mean I wasn’t targeted by NSO Group’s tools?
A: NSO Group’s Pegasus tool is used for targeted attacks and
by design, is not meant for mass surveillance. This means that only select
individuals would have been targeted. However, if you are a high risk user,
i.e., an activist, journalist, or HRD involved in politically sensitive
activism, you cannot presume that you have not been targeted simply because you
haven’t received a notification from WhatsApp.
The attack was delivered by exploiting a vulnerability in
WhatsApp. However, NSO Pegasus infections can also be delivered through other
means. Based on information revealed by our own investigations, an Amnesty
International staffer was targeted using SMS messages. One HRD in Morocco was
targeted both before and after the attacks using the WhatsApp exploit, but not
with the WhatsApp exploit itself. Both of them were targeted using SMS messages
containing malicious links and network injection attacks that could also be
attributed to NSO Group’s tools. This indicates that NSO Group has the
documented capability to deliver infections through means other than WhatsApp.
Q: If WhatsApp was targeted, can’t I just switch to another
encrypted platform?
A: No. A vulnerability in the WhatsApp software was
exploited to deliver the spyware. All complex software can have these types of
vulnerabilities. This vulnerability was not a flaw in WhatsApp’s end-to-end
encryption protocol.
This also does not mean that only the Whatsapp data of the
target was compromised. If the attack attempt was successful, the spyware would
gain full access to the device. Any other data on the device including
encrypted platforms such as Signal or Telegram could then also have been
accessed.
Q: Can Pegasus plant data into my devices?
A: Based on publicly available information, planting data is
not a feature of NSO Group’s Pegasus spyware.
Q: What steps can I take to protect myself?
A: None of the security best practices offer complete and
foolproof protection. However, it is a good practice to install the latest
software updates of operating systems and encrypted messaging applications on
your mobile device.
Pegasus remains a relatively uncommon threat and standard
digital hygiene steps are still important. Keep your devices software
up-to-date. Use a unique password for each service that you use and store these
passwords in a secure password manager. Enable two-factor authentication on all
accounts where it is available.
Comments