How Pegasus infects your phone and spies on you without a click | India News – Times of India

Developed by Israeli cyber intelligence NSO Group — known for its expertise in creating specialised cyber weapons — Pegasus is a highly sophisticated surveillance tool. It got widespread attention in 2019 when WhatsApp alerted several users that a spyware had compromised their phones.
WhatsApp, Amnesty International and others sued NSO in the US in 2019, but Pegasus was reportedly used as early as 2016, when an Arab human rights activist’s iPhone was hacked. Within days, Apple released an iOS update that reportedly patched the vulnerability targeted by Pegasus.
Pegasus is in the middle of a massive controversy again with an international media collaboration reporting an unidentified agency may be targeting journalists and others for surveillance with it. Among the 50,000 phone numbers found on a potential list for surveillance, 40 are of Indian journalists.
Who has access and what’s it used for?
Multiple reports have said Pegasus is used for surveillance by agencies across countries, but there is no clarity on which specific agency in which country uses it.
The investigation by Amnesty International and French media group Forbidden Stories has found that while most NSO servers are in Europe, three are located in India and used as attack infrastructure.

If NSO is to be believed, no nongovernmental agency has access to its software. It says it has 60 government agency clients in 40 countries, but has not named them. And while WhatsApp and others allege Pegasus is spyware, NSO maintains it sells its software “for the sole purpose of saving lives through preventing crime and terror acts.”
“NSO does not operate the system and has no visibility to the data. Our technologies are being used every day to break up pedophilia rings, sex and drug-trafficking rings, locate missing and kidnapped children,” an NSO statement reads.
How are phones hacked?
Pegasus’ USP is its ability to invade a phone without a click from the targeted user. The Organized Crime and Corruption Reporting Project (OCCRP) says earlier versions required a target’s active participation. Pegasus operators sent text messages containing a malicious link, which if clicked on would open a malicious web page to download and execute the malware. But as people became better at spotting malicious spam, the use of ‘zero-click exploits’ began.
Zero-click exploits use bugs in popular apps like iMessage, WhatsApp, and FaceTime, which all receive and sort data, sometimes from unknown sources. “Once a vulnerability is found, Pegasus can infiltrate a device using the protocol of the app. The user does not have to click on a link, read a message, or answer a call — they may not even see a missed call or message,” OCCRP says.
Timothy Summers, a former cyber engineer at a US intelligence agency, described Pegasus as a nasty software. “It hooks into most messaging systems including Gmail, Facebook, WhatsApp, FaceTime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. With a line-up like this, one could spy on almost the entire world population. It’s apparent that NSO is offering an intelligence-agency-as-a-service,” Summers had said to reporters.
What type of surveillance?
Basically, Pegasus can spy on every aspect of the target’s life, researchers from cybersecurity firm Kaspersky say. It is modular malware — after scanning the target’s device, it installs the necessary modules to read the user’s messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, etc.
“Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording capabilities, it was stealing messages before they were encrypted (and, for incoming messages, after decryption),” Kaspersky adds.