Forbidden Stories and Amnesty International had access to a leak of more than 50,000 phone numbers targeted by Pegasus spyware, developed by Israeli’s NSO Group Technologies (NSO). Access to the data, which dates back to 2016, was shared with news organizations and led to several months of investigation. The Guardian investigated the matter and discovered that there were thousands of phone numbers and records of people who were allegedly targeted by dubious government agencies. Among them were renowned journalists, government officials, human rights activists, and lawyers.
Pegasus was first developed in 2010 and designed to infect mobile devices by sending a malicious message to the target via SMS or WhatsApp. It’s a zero-click attack where it doesn’t require the receiver to click on any link or interact with the message in any way. Once it installs itself, Pegasus will have full access to the device; it can read user data such as text and WhatsApp messages and control the microphone and camera of the device to capture conversations.
The spyware exploits zero-day vulnerability – software security flaw that is not yet fixed – which makes every device vulnerable, and effectively everyone is a target. Pegasus gains access over everything without being detected, rendering other security measures such as end-to-end encryption of messages useless.
With such capability, Pegasus enables governments to spy on their citizens and could be one of the most invasive forms of surveillance ever created. NSO claimed to have created Pegasus for crime and terror investigations. It clarified that the software is sold only to the military, law enforcement, and intelligence agencies from countries with good human rights records. There were several reported cases, however, of the use of Pegasus by repressive governments.
The NSO group portrayed Pegasus as a government law enforcement tool, yet after several independent investigations, the true nature and impact of the spyware are rearing its ugly head.