New Delhi: Redirections to suspicious-looking URLs through ‘rogue cell towers’. Exploitation of yet-undiscovered software vulnerabilities (zero days). Some clever camouflage. Leaving few traces on the permanent memory of your device.
These are some of the tricks the sophisticated Israeli spyware Pegasus is believed to employ in its attempts to infect target devices, according to the London-based human rights NGO Amnesty International, which provided technical support on the Pegasus Project exposé released this month.
The exposé centered on a leaked database of 50,000 names who were allegedly targeted through the Pegasus spyware of Israel’s NSO Group, which claims to license the software only to law enforcement and intelligence agencies of “vetted” governments. The NSO Group has denied the allegations.
As part of the project, Amnesty conducted an analysis of 67 phones linked to the numbers on the database, and found “forensic evidence of Pegasus infections or attempts” on 37. Out of these, 34 were iPhones and three were Android. However, Amnesty stresses this isn’t meant to reflect the relative safety of one operating system over another.
It probably has more to do with how iPhone systems log more information that lends itself to tracking malicious activity within the phone, while Android phones don’t.
“As a result, most recent cases of confirmed Pegasus infections have involved iPhones,” it said.
Amnesty shared this information on the same day the exposé was released, 18 July, in a bid to explain the “cutting-edge” forensic analysis employed by its Security Lab for the project.
The report details Pegasus activity from 2014 up to July 2021, but mostly focuses on the period between 2018 and 2021. It explains how the software is believed to have evolved over the years to become even more sophisticated and difficult to detect.
Also read: What is Pegasus? The ‘ultimate spyware’ used for surveillance
Digital forensics & a caveat
The Amnesty forensic report is replete with phrases such as “likely the internal name”, and “likely among those exploited” — indicating that Amnesty might not be a 100 per cent sure of their findings. There is a reason for this.
Digital forensics involves collecting and analysing information from an electronic device to look for certain evidence — in this case, Pegasus activity — and taking measures to limit human and computer errors and biases.
As it is usually with scientific research, digital forensics can only conclude there is enough evidence to not reject an idea. The alternative would be to establish Pegasus activity was not present. But how do you prove something that is not present? For this reason, a commitment to objective truth demands that experts do not state conclusions in absolute terms.
While seen as prudent, this has opened Amnesty findings up to questions — for example, in July 2020, an Israeli court dismissed a petition against NSO Group saying Amnesty “did not prove NSO’s technology had been used to spy on its members”.
Network injections
Pegasus-linked activity found in 2019 allegedly showed the spyware performing ‘network injections’.
‘Network injection’ means the spyware was allegedly disguising its malicious data requests as legitimate ones originating from the victim. To do this, Amnesty believes Pegasus operators used either a rogue cell tower or set up equipment at the site of the mobile operator. A SIM card’s International Mobile Subscriber Identity (IMSI) is key to this tactic.
Mobile phones emit signals that are received by cell towers in the vicinity. They don’t discern between legitimate and rogue cell towers. A rogue cell tower (also known as an IMSI Catcher) can intercept a signal from the target mobile phone, register its IMSI, and submit disguised requests to the mobile operator.
Pegasus is believed to have used network injections to redirect the victim’s internet activity to malicious sites where its agent can be injected into the phone.
As an example, Amnesty cited a 2019 instance when Moroccan activist Maati Monjib — an alleged Pegasus target — tried to visit Yahoo on his phone but was instead redirected to a website with a strange address: https://bun54l2b67.get1tn0w.free247downloads[.]com:30495/szev4hz
According to Amnesty, parts of this address appeared in another suspected Pegasus-targeted phone months later — that of Moroccan journalist Omar Radi.
Tracking Pegasus through process names
Alleged Pegasus attacks from 2018, 2019 and 2020 left behind forensic evidence in the form of ‘processes’ executed by the spyware within the phone. A process is the smallest step an app performs. Any app will run many different processes while in use.
Apple’s iOS, Amnesty said, “maintains records of process executions and their respective network usage in two SQLite database files called ‘DataUsage.sqlite’ and ‘netusage.sqlite’”.
The databases store details of how much network data is used by a process, and whether they used WiFi or cellular network.
Amnesty said it found traces of suspicious processes potentially linked to Pegasus spyware — with the names ‘bh’ and ‘fservernetd’. The seemingly odd names of these processes may be aimed at obfuscation.
Amnesty said “both Maati Monjib’s and Omar Radi’s network usage databases contained records of a suspicious process called ‘bh’. This ‘bh’ process was observed on multiple occasions immediately following visits to Pegasus Installation domains”, such as ‘free247downloads[.]com’.
The processes discovered became “instrumental” as Amnesty “found processes with the same names on devices of targeted individuals from around the world”.
In 2016, researchers reportedly discovered that Pegasus exploited a vulnerability in the iOS JavaScriptCore Binary so that its processes can run on an iPhone without permission and without being noticed.
The JavaScript Core allows code written in JavaScript to run on iOS applications written in other programming languages.
Pegasus used this vulnerability to gain entry into apps and remain on the device even after it was rebooted.
Also read: Deniability is Pegasus scandal’s strongest suit. And national security is the biggest price
Zero-click attacks
Between 2016 and 2018, Pegasus allegedly tried to get into phones by sending a malicious link via SMS, hoping the victim would click it. A change of strategy has reportedly come to light since 2019, when the spyware allegedly started focusing on attacks that require zero clicks. No suspicious link, no web surfing — the phone just has to be on and connected to the internet for Pegasus to enter.
Amnesty says it found the software using the Apple messaging service iMessage to perpetuate zero-click attacks, through Apple iCloud online data storage accounts made with Gmail and Microsoft Outlook email addresses.
When an iPhone user tries to send someone an iMessage, the app automatically performs a ‘look up’ of the contact, which means it contacts the Apple servers to see if the person has an iCloud account. Your iPhone will then store a record of you trying to contact the person and the iCloud linked to that person.
Records from 2019, Amnesty said, show that one victim’s iMessage app looked up an account named ‘bergers.o79@gmail.com’, likely after the victim received an iMessage from this account.
Less than an hour after the look-up of the suspicious account, Amnesty noted that two processes started running, ‘roleaccountd’, and ‘stagingd’ on the victim’s phone.
“Forensic analysis of multiple devices found similar records. In many cases, the same iMessage account reoccurs across multiple targeted devices, potentially indicating that those devices have been targeted by the same operator. Additionally, the processes roleaccountd and stagingd occur consistently, along with others,” it said.
In 2021, Amnesty said, a French human rights lawyer’s iPhone performed a look-up of a “suspicious” iMessage account identified as ‘linakeller2203@gmail.com’. Soon after this, a legitimate Apple process called com.apple.coretelephony sent data from the phone to a server with the following online link — ‘https://d38j2563clgblt.cloudfront[.]net/fV2GsPXgW//stadium/megalodon?m=iPhone9,1&v=18C66’.
Data sent to the link was information about the device, such as phone model number and iOS build number.
After this data was sent, the phone received a file taking up about 250 kilobytes of space. The file contents could not be analysed since it was encrypted but Amnesty suspects it contained the Pegasus agent that was installed on the phone and run as ‘gatekeeperd’. This is because the process started running within 20 seconds of the phone sending information to the unknown server.
Not easy to catch Pegasus
The researchers say Pegasus no longer uses or leaves traces of its activity in the permanent memory of a phone. In addition, Pegasus also disguises its processes by giving them names that sound like genuine Apple processes, making it harder to trace.
However, humans make mistakes. In one instance, Pegasus had been unable to delete its presence from a database while deleting traces from a corresponding database, which alerted researchers to unusual activity.
As one security researcher who has studied Pegasus puts it, “what NSO taketh away, NSO also giveth”.
(Edited by Sunanda Ranjan)
Also Read: The NSO Group behind Pegasus list & its murky past — from Mexico to Jamal Khashoggi to India