In late July 2021 Amnesty International together with The Citizen Lab published an analysis showing the widespread use of NGO Group's Pegasus software. Pegasus is a type of spyware that is commercially available to anyone willing to pay the asking price, and can be used to spy on the carrier of a mobile phone using pretty much any technological feature of the phone. Reading messages and Emails, turning on the camera and microphone, capturing keystrokes, etc. can be remotely initiated. Here's an in-depth report.

What's exceedingly interesting is the question of how it's possible to deliver a compromising loader and eventually the actual payload to a specific targeted phone. Some media reports talk about "zero-click infections" and "invisible" SMS and iMessage messages that lead to a compromise without any indication to or action by the recipient. This is sensationalist. Post-mortems of affected phones clearly show the attack vectors through artifacts left on the devices that Pegasus didn't clean up completely.

In this context it's important to understand that the attackers will generally be government organizations with wide-ranging possibilities to access telco provider infrastructure.

Delivery Mechanism

Based both on that report as well as an earlier analysis it seems possible to piece together the kill chain.

1. the intended recipient is identified and her phone number and messaging address is collected, possibly by or through government or mobile provider channels.
2. the location of the victim is identified and access to cellular infrastructure is established. This can be to an existing Base Transceiver Station (BTS), or through deployment of an IMSI catcher.
3. a message of a supported type is sent to the phone in question. The message will contain an element that causes network access, such as an (obfuscated) link.
4. some network access occurs. This can be the messaging app loading a preview of the embedded link¹, or the user herself clicking on the link to view the web page.
5. in some cases such as the attack on Maati Monjib, the link in question was an attempted access to http://yahoo.fr/ by Monjib to access his email, without a prior "hook" message.
6. in any event, the compromised cellular infrastructure will now be used to execute a man-in-the-middle attack by diverting the web request to a series of trap servers which will deliver the loader (1st attack stage).
7. the first stage will generally exploit a 0-day vulnerability. NGO as well as other similar companies (and also government agencies) collect and even purchase 0-days for their covert use in these infection loaders.
8. the loader will then establish persistence on the victim's phone and later proceed to download the payload module(s) as the 2nd attack stage. It may then operate for an extended period of time, receiving commands from Command&Control servers, and submit intercepted data.
9. eventually, when a terminate command is received, the software will clean up traces and remove itself from the phone.

As to point 4. NGO has been advancing their initial network access strategy to employ 0-days in iMessage and Apple Music push notifications on Apple devices. These exploits have been keeping pace with updates published by Apple. For Android devices the same might be true for popular apps such as WhatsApp but the situation is less clear.

Possible Defences

The most important message: these attacks are executed by government agencies using sophisticated tools and methods, with unlimited access to provider infrastructure, and virtually unlimited resources. If you're on their list it's probably game over before you even realize it. Dozens of assassinations prove the point.

So what are possible defences?

First of all, if you are a vulnerable journalist, human rights activist, etc: do not carry a smartphone. Do not use a phone to communicate. Don't even own a phone.

Second, for any communications: use a secure laptop which you carry with you 24x7 to prevent evil maid attacks. It should ideally be equipped with Coreboot/Libreboot, and running a sophisticated and well-configured OS such as Qubes OS.

Third, use a VPN at all times, and chose your VPN provider and end points wisely. Providers such as Mullvad that have lots of nodes in multiple countries are probably the best choice. Change nodes frequently. This will make it much harder for local infrastructure attacks to execute MitM attacks.

Fourth, if you need to use cellular communications, use a dumbphone as a modem to which the laptop is attached using USB or personal hotspot functionality if supported, and do not ever use it without the VPN enabled.

Countermeasures

Amnesty International and Citizen Lab have been doing most of the heavy groundwork, so shoutout to them. They have also published two repos that are useful:

The Mobile Verification Toolkit (MVT) helps "to simplify and automate the process of gathering forensic traces helpful to identify a potential compromise of Android and iOS devices."

The Indicators of Compromise are lists of domain names that can and should be blocked in your DNS setup and can also serve to alert you of suspicious activity. These are kept updated in the repository and can be consumed by a nightly DNS blocklist update as alluded to here and to be described more in detail in a future post.

Reader Beware

The point of this article is merely to give a bit of background to the NGO Pegasus affair as it unfolds and summarize the infection process which tends to not be properly documented in the mainstream media. It should in no way be considered technical or legal advice.

Be safe out there.