Pegasus, the spyware tool used by Israeli firm NSO Group, has gotten an upgrade which lets it access cloud account information from services like Apple, Google, Facebook, Microsoft and Amazon in addition to the information stored on the Android or iOS device.
In May this year, the NSO Group was reported to be behind the WhatsApp attack, where the Pegasus spyware could be installed on a smartphone by a simple WhatsApp call. The NSO Group had denied direct involvement in the WhatsApp attack. The user did not even have to pick up or reject the call for the attack to be successful. WhatsApp later issued a security fix for the update and it was believed the spyware was used to target those working for human rights groups.
Pegasus accessing cloud information on Google, Apple, Microsoft, Amazon and Facebook
In the latest report published by the Financial Times, after the upgrade Pegasus can access and harvest data from servers of Apple, Google, Facebook, Amazon and Microsoft, and access the cloud information. Many users rely on cloud storage to save photos, messages, along with other encrypted filed, and according to this report, all of that information could be compromised thanks to Pegasus’ new features, if their account were under attack.
The new features can access the cloud information without “prompting 2-step verification” or warning the user by via email. Many users have 2-step verification turned on for their Apple, Google and Microsoft accounts and if Pegasus can access the data without any warning, this raises a lot of security risks and also means that at times users might not even realise their data has been compromised.
Exactly how is Pegasus accessing cloud information? The report says that Pegasus is able to copy authentication keys to these services and can then independently download the entire data and online history of the target.
The spyware can infect both Android and iOS devices, and can also spread to laptops and tablets. The report on Financial Times also notes that even if the spyware is removed from the original target device, it can continue to spread and copy the data that it intends to steal.
While Google and Amazon in their response to the store said they have not seen any evidence to show their servers were breached, Facebook said it would review the claims. Apple commented to the Financial Times that while the tools might work in carrying out ‘targeted attacks,’ on some select individuals, it did “not believe these are useful for widespread attacks against consumers.”
Pegasus and WhatsApp voice call spyware
Pegasus was earlier exploiting a zero-day vulnerability in WhatsApp, which allowed the spyware to access the phone’s camera and microphone, and collect location data. The software took advantage of a security hole in WhatsApp’s voice call function to carry out the attack.
The attackers could simply call a user to install the surveillance software. This was successful even when the call was not taken and at times the call would even show up in the user’s call log, thus the user would not know that their device had been compromised.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company had told the Financial Times, denying these claims.