Zero-click installation that requires no action by the target is not the only ability that makes Pegasus the super spyware it is. What also makes it unique is the capability of “active collection”, which gives attackers the power to “control the information” they want to collect from the targeted device.
This set of features, says a marketing pitch of the Israeli company NSO Group that developed Pegasus, are called “active as they carry their collection upon explicit request of the operator”, and “differentiates Pegasus from any other intelligence collection solution”, that is, spyware.
“Instead of just waiting for information to arrive, hoping this is the information you were looking for, the operator actively retrieves important information from the device, getting the exact information he was looking for,” the NSO pitch says.
The NSO Group categorises the snooping into three levels: initial data extraction, passive monitoring, and active collection.
Unlike other spyware that provide only future monitoring of partial communications, says NSO, Pegasus allows the extraction of all existing, including historical, data on the device for “building a comprehensive and accurate intelligence picture.” The initial extraction sends SMS records, contacts, call history (log), emails, messages, and browsing history to the command and control server.
While Pegasus monitors and retrieves new data real-time — or periodically if configured to do so — from an infected device, it also makes available a whole set of active collection features that allow an attacker to take real-time actions on the target, and retrieve unique information from the device and the surrounding area in its location.
Such active extractions include:
The transmitted data is encrypted with symmetric encryption AES 128-bit. Even while encrypting, says NSO, extra care is taken to ensure that Pegasus uses minimal data, battery, and memory to make sure that the target does not get suspicious.
This is the reason why Wi-Fi connections are preferred for transmitting the collected data. NSO says it has put “extra thought into compression methods and focusing on textual content transmission whenever possible” to minimise data footprints to only a few hundred bytes and to ensure minimal impact on the target’s cellular data plan.
Data transmission stops automatically when the battery level is low, or when the target is roaming. When transmission is not possible, Pegasus stores the collected data in a hidden and encrypted buffer which is set to reach no more than 5 per cent of the free space available on the device. Under rare circumstances when no transmission is possible through safe channels, an attacker can collect urgent data through text messages but this, warns NSO, may incur costs that appear on the target’s phone bill.
The communication between Pegasus and the central servers takes place through the Pegasus Anonymizing Transmission Network (PATN), which makes tracing back to the origin “non-feasible”. The PATN nodes, says NSO, are spread across the world, redirecting Pegasus connections through different paths prior to reaching the Pegasus servers.
Pegasus comes complete with an efficient self-destruct mechanism. In general, says NSO, “we understand that it is more important that the source will not be exposed and the target will suspect nothing than keeping the agent alive and working.” Any risk of exposure automatically activates the self-destruct mechanism, which also comes into effect if Pegasus does not communicate with its server from an infected device for 60 days or a customised period of time.
There is a third scenario in which the self-destruct mechanism is activated. From the day it released Pegasus, the NSO Group has not allowed Pegasus to infect American phone numbers. The company does not even allow infected phones to travel to the United States. The moment a victim enters the US, Pegasus in her device goes into self-destruct mode.
All that is required to run Pegasus are operator terminals (standard desktop PCs) with the following specifications:
For system hardware:
Newsletter | Click to get the day’s best explainers in your inbox
📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay updated with the latest headlines