Explained: Pegasus is a spy that won’t wait; will die before being exposed

“Instead of just waiting for information to arrive, hoping this is the information you were looking for, the operator actively retrieves important information from the device, getting the exact information he was looking for,” the NSO pitch says.

‘Active’ data extraction

The NSO Group categorises the snooping into three levels: initial data extraction, passive monitoring, and active collection.

Unlike other spyware that provide only future monitoring of partial communications, says NSO, Pegasus allows the extraction of all existing, including historical, data on the device for “building a comprehensive and accurate intelligence picture.” The initial extraction sends SMS records, contacts, call history (log), emails, messages, and browsing history to the command and control server.

While Pegasus monitors and retrieves new data real-time — or periodically if configured to do so — from an infected device, it also makes available a whole set of active collection features that allow an attacker to take real-time actions on the target, and retrieve unique information from the device and the surrounding area in its location.

Such active extractions include:

• GPS-based location tracking: If GPS is disabled by a target, Pegasus enables it for sampling and immediately turns it off. If no GPS signal is accessible, Cell-ID is retrieved.
• Environmental sound recording: Pegasus ascertains if the phone is in idle mode before turning on the microphone through an incoming silent call. Any action by the target that turns on the phone screen results in immediate call hang-up and terminates recording.
• Photo taking: Both front and rear cameras can be used after Pegasus ascertains that the phone is in idle mode. The quality of the photo can be pre-determined by an attacker to reduce data use and ensure faster transmission. NSO cautions that since the flash is never used and the phone might be in motion or in a low-lit room, photos can at times be out of focus.
• Rules and alerts: A number of conditions can be pre-set for real-time action, such as geo-fencing alerts (target enters or exits a defined location), meeting alerts (when two devices share the same location), connection alert (a call or message sent or received to/from a specific number), and content alert (a specific word used in a message), etc.

Invisible transmission

The transmitted data is encrypted with symmetric encryption AES 128-bit. Even while encrypting, says NSO, extra care is taken to ensure that Pegasus uses minimal data, battery, and memory to make sure that the target does not get suspicious.

This is the reason why Wi-Fi connections are preferred for transmitting the collected data. NSO says it has put “extra thought into compression methods and focusing on textual content transmission whenever possible” to minimise data footprints to only a few hundred bytes and to ensure minimal impact on the target’s cellular data plan.

Data transmission stops automatically when the battery level is low, or when the target is roaming. When transmission is not possible, Pegasus stores the collected data in a hidden and encrypted buffer which is set to reach no more than 5 per cent of the free space available on the device. Under rare circumstances when no transmission is possible through safe channels, an attacker can collect urgent data through text messages but this, warns NSO, may incur costs that appear on the target’s phone bill.

The communication between Pegasus and the central servers takes place through the Pegasus Anonymizing Transmission Network (PATN), which makes tracing back to the origin “non-feasible”. The PATN nodes, says NSO, are spread across the world, redirecting Pegasus connections through different paths prior to reaching the Pegasus servers.

Self-destruct function

Pegasus comes complete with an efficient self-destruct mechanism. In general, says NSO, “we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.” Any risk of exposure automatically activates the self-destruct mechanism, which also comes into effect if Pegasus does not communicate with its server from an infected device for 60 days or a customised period of time.

There is a third scenario in which the self-destruct mechanism is activated. From the day it released Pegasus, the NSO Group has not allowed Pegasus to infect American phone numbers. The company does not even allow infected phones to travel to the United States. The moment a victim enters the US, Pegasus in her device goes into self-destruct mode.

Bare essentials

All that is required to run Pegasus are operator terminals (standard desktop PCs) with the following specifications:

• Core i5 processor
• 3GB RAM
• 320 GB hard drive
• Windows OS

For system hardware:

• Two units of 42U cabinet
• Networking hardware
• 10TB storage
• 5 standard servers
• UPS
• Cellular modems and SIM cards

Newsletter | Click to get the day’s best explainers in your inbox