A look at the nature and effects of legal, advanced spyware on application security
Typically, stories about cyber attacks grab the reader’s attention by describing the damage inflicted on a company in large dollar amounts. While multimillion-dollar ransomware demands are shocking, they can be quickly forgotten. After all, these situations are eventually worked out, and it’s not as if anyone’s life is in danger.
Pegasus attacks are different.
Pegasus attacks on iPhone and Android devices do not cost businesses millions in revenue. They do not trigger multiple expensive lawsuits for privacy violations or result in sensitive data being used for blackmail. Pegasus measures its damage by its chilling effect on privacy, the incalculable costs of information suppression, and in some cases, human lives.
What is Pegasus?
Pegasus is an advanced spyware that exploits vulnerable mobile apps to gain a foothold on iPhone and Android devices. Once installed, Pegasus gives attackers a considerable amount of control over the device, including the ability to:
- Obtain GPS information
- Access text messages
- Access photos
- Access emails
- Access encrypted chats from third-party apps
- Record phone calls
- Turn on the microphone or camera without the user’s knowledge
- Perform other intrusive and malicious activity (modular malware, keylogging, screencaps, etc.)
Pegasus is the creation of the NSO Group, an Israeli firm that licenses it to governments to perform surveillance. NSO states its technology is intended to “prevent and investigate terrorism and crime to save thousands of lives around the globe”. However, Pegasus is a highly sophisticated tool, and like any tool its use is only as benevolent as the hand that wields it. The spyware allows governments to crack citizen’s mobile devices, track them, and observe their communications. Whether it is solely used to target criminals is up to their discretion.
How Does Pegasus Compromise Code?
On the iPhone, Pegasus uses a zero-click attack against the iOS iMessage app to infect the device. A zero-click attack is one that requires no cooperation or interaction from the victim to succeed. Typically, these attacks directly exploit known app vulnerabilities and use data verification loopholes to avoid automated detection and other security features. Zero-click attacks also take lengthy steps to remove or obfuscate all traces of their existence, making them extremely difficult for threat researchers to detect.
Pegasus is easier to deploy on Android and can move laterally to exploit secondary attack vectors if the primary method of infection fails. The Android version of Pegasus does not rely on a zero-click attack but, uses Framaroot to discover code exploits and root the device. Android, by design, does not keep the logs researchers use to identify a Pegasus infection. In fact, researchers must often use special tools to detect the presence of Pegasus on Android.
Both the Android and iPhone versions of Pegasus ultimately rely on exploiting vulnerable code. Yet, the spyware is so sophisticated that detecting its presence does little to reveal how it infiltrates a device. This is evident from the sheer length of time that iPhone users have struggled with Pegasus. Media outlets first reported the existence of the spyware in 2016. Apple released a quick fix for iMessage shortly afterward. Yet, the most recent iOS fix for Pegasus arrived on September 13, 2021 — five years later.
Who is Affected by Pegasus?
On July 18th Amnesty International and Forbidden Stories (a Paris-based non-profit), named 50,000 individuals as potential targets of Pegasus attacks. Among the names were journalists, activists, politicians and other “people of interest”. The list was initially leaked to Forbidden Stories, who shared it with the media. The Amnesty International Security Lab collected a small sample of phones from members of the list and tested them for Pegasus infections. The lab discovered Pegasus indicators on 37 of 67 phones.
In response, NSO Group released a statement denying any wrongdoing and criticizing the methodology used by the lab. They reiterated their commitment to only serving “law enforcement and intelligence agencies of vetted governments”. NSO stated they do not operate Pegasus for clients or have access to internal client data. Therefore, they could not possibly possess or leak a list of targets.
Governments named by Amnesty International for violating their citizen’s privacy likewise denied any wrongdoing. In India, several journalists, opposition leaders, and three state officials were identified as appearing on the list. Forensic tests on 22 of the smartphones belonging to suspected Indian targets revealed that 10 were attacked by Pegasus. The Indian Government responded by denying they use Pegasus to target non-criminals.
What Lessons Can Devs Learn from Pegasus?
One aspect that sets Pegasus apart from other malware is its focus on individual targets. While ransomware and APT groups may conduct surveillance on their targets before launching an attack, they are seldom concerned with individuals. Malware campaigns may involve spear-phishing or whaling attacks against high-ranked individuals, but the goal is usually obtaining their account credentials or access. Pegasus is deployed to directly monitor the individual, not steal their account privileges.
Likewise, traditional malware attacks usually focus on stealing money, hijacking data, or disrupting the operations of an organization. They almost always inflict financial damage through blackmail, extortion, regulatory fines, information theft, or harming the brand name. The damage Pegasus inflicts is personal and applies directly to the individual. This means developers accustomed to weighing the financial risks of vulnerable code should also consider humanitarian risks as well.
Pegasus also highlights the wide spectrum of adversaries devs are facing. The tactics techniques and procedures (TTPs) of APTs and black-hat hackers are well known and generally understood. Their attacks are unlawful, meaning compromised organizations can generally rely on the support of law enforcement. NSO is a well-funded private company and its customers are governments and law enforcement agencies. This makes it unlikely that anyone officially deploying Pegasus will be considered a criminal. When cracking security on an individual’s mobile device is not a crime, the app developer becomes the sole line of defense against Pegasus-like attacks.
What Can Devs Do?
Pegasus, like 84% of all cyber attacks, relies on exploiting vulnerabilities in the application layer to succeed. This makes application security testing through methods like SAST, DAST, IAST, and SCA key to preventing these attacks. Simply put, depriving organizations like NSO of vulnerabilities to exploit is the best way to stop them. Once vulnerable code is released it can be extremely difficult to discover how it is exploited. If Apple, the world’s largest company, is still patching iMessage five years after the first Pegasus infection what chance do smaller businesses have?
Open-source code presents another problem. Many open-source libraries contain known vulnerabilities, yet 96% of proprietary applications contain open-source code. Simple steps like checking open-source code dependencies with tools like Intelligent SCA (I-SCA) can greatly improve application security by alerting development teams to these vulnerabilities. Likewise, static code analysis like next-generation SAST (NG-SAST) can provide developers with daily or weekly insight into vulnerabilities in custom and open source code. With these kinds of tools, it is possible to integrate security processes throughout the software development lifecycle to better protect user data in an application.
For more information on efficient ways to add security testing to the SDLC, visit Shiftleft.io.