Spyware has been a significant security threat for close to twenty years. This type of persistent malware works away stealthily collecting data on sites visited, emails sent, usernames and passwords, and even banking details of the unsuspecting individual. It is essentially invisible to most regular device users. On the off chance that it is detected, removal is much more complex than a simple uninstall option.
With the near-universal adoption of smartphones, the threat landscape for spyware has grown considerably. With all of the data being stored on mobile phones, it is an even more fruitful target for spyware than a laptop or desktop pc.
Spyware can monitor SMS messages coming in and leaving the device, email details, call lists, geolocation data, browser history, and all types of usernames and passwords. If you are using a mobile phone for work purposes, a whole new set of risks open up for an employer, and private company data could be accessed and exfiltrated.
It has multiple ways of finding its way into your mobile device. Malicious applications downloaded carelessly, OS defects, or bugs may provide a backdoor for spyware to get into the mobile device or by using unsecured public wi-fi networks to access the internet. Downloading an attachment from an email could also open the door to spyware.
In more recent times, there has been a degree of alarm at the spread of Android Flubot Spyware, which can steal passwords and other types of private data. The form of delivery is through a fraudulent email, claiming that there was a missed delivery of a package and to enable tracking of the delivery item. How many people could fall for this kind of basic phishing? The fake messages purport to be from DHL, however, it is using an insecure HTTP link instead of the more secure HTTPS.
Flubot has all types of powerful functionality, such as stealing data and credentials on your phone, sending messages to your contacts, intercepting incoming messages and it is even capable of disabling Google Play Protect. With so much data now stored on mobile phones, this type of spyware has a perfect attack surface to exploit.
Talk of Flubot has definitely been eclipsed by Pegasus spyware in the last couple of weeks. This product operates on a higher level of sophistication. It was first discovered back in 2016 and at the time was described as ‘the most sophisticated compromise of an endpoint ever seen’. Malicious links are forwarded to the mobile user by SMS, WhatsApp, or iMessage. It was the first known example of the complete remote hack of an iPhone. It can be used to compromise both iOS and Android, in slightly different ways.
Pegasus facilitates the remote surveillance of people through a compromised mobile device. It is modular malware and is capable of complete surveillance. The types of surreptitious monitoring available through this malware include accessing contact lists and browser history, reading SMS messages, listening into telephone calls, and even getting screenshots. Through the use of a keylogger, it could even read WhatsApp messages before encryption. The geolocation of the target is also easily available. Essentially your mobile is owned remotely by whoever has accessed it through Pegasus.
It was developed by the NSO group in Israel, as a tool for high-level monitoring and surveillance of terrorists, drug traffickers, and organised crime, according to their website. This spyware was developed at a high cost to be sold to significant clients, such as nation-states. The developers used three zero-day vulnerabilities in iOS to launch Pegasus to their devices. Those zero-day vulnerabilities in the iOS system, would have been worth millions on the open market. They have since been patched through a security update. It was also adapted to be able to access the Android system too. As these two platforms almost exclusively control the global mobile market, it means that almost any mobile is potentially susceptible to this attack. The reality, however, is that the targets of this malware will be strategic in nature.
It has been reported to have been found on mobile devices of Politicians, government officials, and some journalists. French President Emmanuel Macron has taken the step of getting rid of his phone on the intelligence that it may have been the target of Pegasus spyware. An investigation has also been launched into Moroccan intelligence services targeting certain French journalists with the spyware.
The NSO group supplies smartphone compromising tools to law enforcement agencies, intelligence services, and armed forces in over forty countries They claim that the accusations being made against them are inaccurate. The NSO Group has temporarily suspended some of its clients in order to figure out if their product was being misused since the company itself is falling under growing scrutiny since the recent leaks. Amazon web services have blocked cloud access to any accounts connected to the NSO group.
In selling this malware to so many national agencies, there is clearly a high risk that such a powerful tool would be used for purposes other than the ones stated by the NSO group on their website. Journalists, dissidents, and political opponents are said to be listed as part of the dragnet of this spyware.
The cost of long-term access to Pegasus can run into millions of dollars. It clears much of its own activity and it would be unrealistic to expect it to be detected unless the mobile device were to undergo expert forensic analysis. Pegasus consistently hides traces of itself and even has the capacity to self-destruct if contact is lost with command-and-control servers for significant periods.
It works perfectly well on iPhone and Android. A zero-day vulnerability in the i Message feature was used to compromise iPhones. Apple released numerous patches in the past couple of weeks, but unfortunately nothing as yet to resolve the Pegasus vulnerability. The updated version of Pegasus is zero link software. It doesn’t even require the user to click on a dubious link or fall for a phishing trick. Receiving a missed call on a mobile phone is potentially sufficient to get your device compromised by Pegasus.
The NSO group is not the only competitor in this highly lucrative targeted surveillance market. It is one of various mobile spyware providers. Finfisher GMBH is a German-based company that has sold their commercial finspy software to numerous nations, including those with very poor human rights records including Bahrain, Ethiopia, and Turkey. Similar cases of non-criminal targets of finspy malware have been reported in the past decade
The most likely prediction is that this will quietly continue to happen. There is probably little appetite for more regulation of this area by nation-states, as they may wish to utilise a product like Pegasus at some point in the future. Highly strategic targets will continue to have their mobiles compromised for the foreseeable future
fantastic