The NSO Group Spyware "Pegasus" by Adam Adler Cyber Warfare Advisor
Updated: Jul 5
LEAVE NO TRACE
DEFEND YOUR DIGITAL PRIVACY:
Adam Adler (Miami, Florida): NSO develops and sells governments access to its Pegasus spyware, allowing its nation-state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages, and listen to their calls, steal their photos and files and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia, and the United Arab Emirates.
Pegasus is a mobile phone-surveillance solution that enables customers to remotely exploit and monitor devices. NSO Group has long maintained that its mobile spyware is meant to be a tool for governments to use in fighting crime and terror and that it’s not complicit in any government’s misuse of it. Critics however say that repressive governments use it for more nefarious purposes to track dissidents, journalists, and other members of civil society — and that NSO Group assists them.
The latest version of the Pegasus implant has a number of capabilities, according to Citizen Lab, including Recording audio from the microphone including both ambient “hot mic” recording and audio of encrypted phone calls; taking pictures; tracking device location; and accessing passwords and stored credentials.
Citizen Lab’s analysis of the latest attacks found that the attackers found a footing on the phones from which to install Pegasus by exploiting a zero-day in Apple’s iMessage feature for iPhone.
“The phones were compromised using an exploit chain, which appears to involve an invisible zero-click exploit in iMessage,” researchers said.
How it's working? NSO Group delivered malicious SMS messages with links that delivered the payload; in this case, it’s a zero-click process that may involve the attacker merely sending an iMessage to the target — no user interaction required, according to Citizen Lab. The data exfiltration began swiftly: Just 16 seconds after the last connection is made to the Pegasus installation server.
The phones are hacked via four distinct clusters of servers, which could be attributable to up to four NSO Group operators, according to Citizen Labs.
In October 2019, Facebook filed a lawsuit against NSO Group, claiming that it had taken advantage of vulnerabilities in WhatsApp messaging software to propagate spyware.
WATCH ONLINE FULL DOCUMENTARY ABOUT THE NSO GROUP: CLICK HERE
The Pegasus solution utilizes cutting-edge technology specially developed by veterans of
intelligence and law enforcement agencies. It offers a rich set of advanced features and
sophisticated intelligence collection capabilities not available in the standard interception
Penetrates Android, BlackBerry, iOS, and Symbian based devices
Accesses password-protected devices
Totally transparent to the target
Leaves no trace on the device
Minimal battery, memory, and data consumption
Self-destruct mechanism in case of exposure risk
Retrieves any file from the device for deeper analysis
Extracts contacts, messages, emails, photos, files, locations, passwords, processes list and more
The Pegasus system is designed in layers. Each layer has its own responsibility forming
together a comprehensive cyber intelligence collection and analysis solution.
The main layers and building blocks of the systems are:
Installations: The Installation layer is in charge of issuing new agent installations,
upgrading and uninstalling existing agents.
Data Collection: The Data Collection layer is in charge of collecting the data from the
installed device. Pegasus offers comprehensive and complete intelligence by employing
four collection methods:
– Data Extraction: Extraction of the entire data that exists on the device upon
– Passive Monitoring: Monitor new arrival data to the device
– Active Collection: Activate the camera, microphone, GPS and other elements to
collect real-time data
– Event-based Collection: Define scenarios that automatically triggers specific
Data Transmission: The Data Transmission layer is in charge of transmitting the
collected data back to the command and control servers, using the most efficient and
Presentation & Analysis: The Presentation & Analysis component is a User Interface
that is in charge of presenting the collected data to the operators and analysts, turning
the data into actionable intelligence. This is done using the following modules:
– Real-Time Monitoring: Presents real-time collected data from specific or multiple
targets. This module is highly important when dealing with sensitive targets or during
operational activities, where each piece of information that arrives is crucial for
– Offline Analysis: Advanced queries mechanism that allows the analysts to query
and retrieve any piece of information that was collected. The advanced mechanism
provides tools to find hidden connections and information.
– Geo-based Analysis: Presents the collected data on a map and conduct
– Rules & Alerts: Define rules that trigger alerts based on specific data that arrives or
the event that occurred.
Administration: The administration component is in charge of managing the entire
system permission, security, and health:
Extracts contacts, messages, emails, photos, files, locations, passwords, processes
list and more
– Permission: The permissions mechanism allows the system administrator to
manage the different users of the system. Provide each one of them the right
access level only to the data they are allowed to. This allows defining groups in the
the organization that handle only one or more topics and other groups which handles
– Security: The security module monitors the system security level, making sure
the collected data is inserted into the system database clean and safe for future
– Health: The health component of the Pegasus solution monitor the status of all
components making sure everything is working smoothly. It monitors the
communication between the different parts, the system performance, the storage
availability, and alerts if something is a malfunction.
ORDER TODAY THE DIGITBANK VAULT ENCRYPTION SYSTEM: CLICK HERE
In order to start collecting data from your target’s smartphone, a software-based component
("Agent") must be remotely and covertly installed on their device.
The “Agent”, a software-based component, resides on the endpoint devices of the monitored
targets and its purpose is to collect the data it was configured to. The agent is supported on
the most popular operating systems: BlackBerry, Android, iOS (iPhone), and Symbian based
Each agent is independent and is configured to collect different information from the device
and to transmit it via specific channels in defined timeframes. The data is sent back to the
Pegasus servers in a hidden, compressed, and encrypted manner.
The agent continuously collects the information from the device and will transmit it once-reliable internet connection becomes available.
Communications encryption, the use of many applications, and other communications
concealing methods are no longer relevant when an agent is installed on the device.
Agent Installation Vectors
Injecting and installing an agent on the device is the most sensitive and important phase of
an intelligence operation conducted on the target device. Each installation has to be carefully
planned to ensure it is successful. The Pegasus system supports various installation
methods. The installation methods variety answers the different operational scenarios which
are unique to each customer, resulting in the most comprehensive and flexible solution.
Following are the supported installation vectors:
Remote Installation (range free):
Over-the-Air (OTA): A push message is remotely and covertly sent to the mobile
device. This message triggers the device to download and install the agent on the
device. During the entire installation process no cooperation or engagement of the target
is required (e.g., clicking a link, opening a message) and no indication appears on the
device. The installation is totally silent and invisible and cannot be prevented by the
target. This is NSO uniqueness, which significantly differentiates the Pegasus solution
from any other solution available in the market.
Enhanced Social Engineering Message (ESEM): In cases where the OTA installation
method is inapplicable1, the system operator can choose to send a regular text message
(SMS) or an email, luring the target to open it. Single-click, either planned or
unintentional, on the link will result in hidden agent installation. The installation is entirely
concealed and although the target clicked the link they will not be aware that software is
being installed on their device.
Upon successful agent installation, a wide range of data is monitored and collected from the
Textual: Textual information includes text messages (SMS), Emails, calendar
records, call history, instant messaging, contacts list, browsing history, and more.
Textual information is usually structured and small in size, therefore easier to
transmit and analyze.
Audio: Audio information includes intercepted calls, environmental sounds
(microphone recording) and other audio recorded files.
Visual: Visual information includes camera snapshots, photos retrieval, and screen
Files: Each mobile device contains hundreds of files, some bear invaluable
intelligence, such as databases, documents, videos, and more.
Location: On-going monitoring of the device location (Cell-ID and GPS).
Initial Data Extraction
Once the agent is successfully injected and installed on the device, the following data that
resides and exists on the device can be extracted and sent to the command and control
Call history (call log)
As opposed to other intelligence collection solutions which provide only future monitoring of
partial communications, Pegasus allows the extraction of all existing data on the device. As a
a result of the organization benefits from accessing historical data about the target, which assists in building a comprehensive and accurate intelligence picture.
From the point the agent was successfully installed it keeps monitoring the device and
retrieves any new record that becomes available in real-time (or at specific condition if
configured differently). Below is the full list of data that is monitored by the agent:
Call history (call log)
Location tracking (Cell-ID based)
In addition to passive monitoring, upon successful agent installation a wide set of active
collection features become available. Active collection refers to active requests sent by the
operator to collect specific information from the installed device. This set of features are
called active, as they carry their collection upon explicit request of the operator. Active
the collection allows the operator to perform real-time actions on the target device, retrieving
unique information from the device and from the surrounding area of the target, including:
Location tracking (GPS based)
Voice calls interception
Environmental sound recording (microphone recording)
Active collection differentiates Pegasus from any other intelligence collection solution, as the
operator controls the information that is collected. Instead of just waiting for information to
arrive, hoping this is the information you were looking for, the operator actively retrieves
important information from the device, getting the exact information he was looking for.
By default, the collected data (initial data extraction, passive monitoring, and active collection)
is sent back to the command and control center in real-time. The data is sent via data
channels, where Wi-Fi is the preferred connection to use when it is available. In other cases,
data is transmitted via cellular data channels (GPRS, 3G,4G and LTE). Extra thought was put
into compression methods and focusing on textual content transmission whenever possible.
The data footprints are very small and usually take only a few hundred bytes. This is to make
sure that the collected data is easily transmitted, ensuring minimal impact on the device and
on the target cellular data plan.
If data channels are not available, the agent will collect the information from the device and
store it in a dedicated buffer, as explained in the Data Collection section.
Data transmission is automatically ceased in the following scenarios:
Low battery: When the device battery level is below the defined threshold (5%) all
data transmission processes are immediately ceased until the device is recharged.
Roaming device: When the device is roaming, cellular data channels become pricy,
thus data transmission is done only via Wi-Fi. If Wi-Fi does not exist, the transmission will
When no data channels are available, and no indication for communication is coming back
from the device, the user can request the device will communicate and/or send some crucial
data using text messages (SMS).
The communication between the agent and the central servers is indirect (through
the anonymizing network), so trace back to the origin is non-feasible.