• Adam Adler

The NSO Group Spyware "Pegasus" by Adam Adler Cyber Warfare Advisor

Updated: Jul 5




SuperEncrypted Communications


Adam Adler (Miami, Florida): NSO develops and sells governments access to its Pegasus spyware, allowing its nation-state customers to target and stealthily hack into the devices of its targets. Spyware like Pegasus can track a victim’s location, read their messages, and listen to their calls, steal their photos and files and siphon off private information from their device. The spyware is often installed by tricking a target into opening a malicious link, or sometimes by exploiting never-before-seen vulnerabilities in apps or phones to silently infect the victims with the spyware. The company has drawn ire for selling to authoritarian regimes, like Saudi Arabia, Ethiopia, and the United Arab Emirates.

Pegasus is a mobile phone-surveillance solution that enables customers to remotely exploit and monitor devices. NSO Group has long maintained that its mobile spyware is meant to be a tool for governments to use in fighting crime and terror and that it’s not complicit in any government’s misuse of it. Critics however say that repressive governments use it for more nefarious purposes to track dissidents, journalists, and other members of civil society — and that NSO Group assists them.

The latest version of the Pegasus implant has a number of capabilities, according to Citizen Lab, including Recording audio from the microphone including both ambient “hot mic” recording and audio of encrypted phone calls; taking pictures; tracking device location; and accessing passwords and stored credentials.

Citizen Lab’s analysis of the latest attacks found that the attackers found a footing on the phones from which to install Pegasus by exploiting a zero-day in Apple’s iMessage feature for iPhone.

“The phones were compromised using an exploit chain, which appears to involve an invisible zero-click exploit in iMessage,” researchers said.

How it's working? NSO Group delivered malicious SMS messages with links that delivered the payload; in this case, it’s a zero-click process that may involve the attacker merely sending an iMessage to the target — no user interaction required, according to Citizen Lab. The data exfiltration began swiftly: Just 16 seconds after the last connection is made to the Pegasus installation server.

The phones are hacked via four distinct clusters of servers, which could be attributable to up to four NSO Group operators, according to Citizen Labs.

In October 2019, Facebook filed a lawsuit against NSO Group, claiming that it had taken advantage of vulnerabilities in WhatsApp messaging software to propagate spyware.


The Pegasus solution utilizes cutting-edge technology specially developed by veterans of

intelligence and law enforcement agencies. It offers a rich set of advanced features and

sophisticated intelligence collection capabilities not available in the standard interception


Penetrates Android, BlackBerry, iOS, and Symbian based devices

Accesses password-protected devices

Totally transparent to the target

Leaves no trace on the device

Minimal battery, memory, and data consumption

Self-destruct mechanism in case of exposure risk

Retrieves any file from the device for deeper analysis

Extracts contacts, messages, emails, photos, files, locations, passwords, processes list and more

The Pegasus system is designed in layers. Each layer has its own responsibility forming

together a comprehensive cyber intelligence collection and analysis solution.

The main layers and building blocks of the systems are:

Installations: The Installation layer is in charge of issuing new agent installations,

upgrading and uninstalling existing agents.

Data Collection: The Data Collection layer is in charge of collecting the data from the

installed device. Pegasus offers comprehensive and complete intelligence by employing

four collection methods:

– Data Extraction: Extraction of the entire data that exists on the device upon

agent installation

– Passive Monitoring: Monitor new arrival data to the device

– Active Collection: Activate the camera, microphone, GPS and other elements to

collect real-time data

– Event-based Collection: Define scenarios that automatically triggers specific

data collection

Data Transmission: The Data Transmission layer is in charge of transmitting the

collected data back to the command and control servers, using the most efficient and

safe way.

Presentation & Analysis: The Presentation & Analysis component is a User Interface

that is in charge of presenting the collected data to the operators and analysts, turning

the data into actionable intelligence. This is done using the following modules:

– Real-Time Monitoring: Presents real-time collected data from specific or multiple

targets. This module is highly important when dealing with sensitive targets or during

operational activities, where each piece of information that arrives is crucial for

decision making.

– Offline Analysis: Advanced queries mechanism that allows the analysts to query

and retrieve any piece of information that was collected. The advanced mechanism

provides tools to find hidden connections and information.

– Geo-based Analysis: Presents the collected data on a map and conduct

geo-based queries.

– Rules & Alerts: Define rules that trigger alerts based on specific data that arrives or

the event that occurred.

Administration: The administration component is in charge of managing the entire

system permission, security, and health:

Extracts contacts, messages, emails, photos, files, locations, passwords, processes

list and more

– Permission: The permissions mechanism allows the system administrator to

manage the different users of the system. Provide each one of them the right

access level only to the data they are allowed to. This allows defining groups in the

the organization that handle only one or more topics and other groups which handles

different topics.

– Security: The security module monitors the system security level, making sure

the collected data is inserted into the system database clean and safe for future


– Health: The health component of the Pegasus solution monitor the status of all

components making sure everything is working smoothly. It monitors the

communication between the different parts, the system performance, the storage

availability, and alerts if something is a malfunction.


Agent Installation

In order to start collecting data from your target’s smartphone, a software-based component

("Agent") must be remotely and covertly installed on their device.

Agent Purpose

The “Agent”, a software-based component, resides on the endpoint devices of the monitored

targets and its purpose is to collect the data it was configured to. The agent is supported on

the most popular operating systems: BlackBerry, Android, iOS (iPhone), and Symbian based


Each agent is independent and is configured to collect different information from the device

and to transmit it via specific channels in defined timeframes. The data is sent back to the

Pegasus servers in a hidden, compressed, and encrypted manner.

The agent continuously collects the information from the device and will transmit it once-reliable internet connection becomes available.

Communications encryption, the use of many applications, and other communications

concealing methods are no longer relevant when an agent is installed on the device.

Agent Installation Vectors

Injecting and installing an agent on the device is the most sensitive and important phase of

an intelligence operation conducted on the target device. Each installation has to be carefully

planned to ensure it is successful. The Pegasus system supports various installation

methods. The installation methods variety answers the different operational scenarios which

are unique to each customer, resulting in the most comprehensive and flexible solution.

Following are the supported installation vectors:

Remote Installation (range free):

Over-the-Air (OTA): A push message is remotely and covertly sent to the mobile

device. This message triggers the device to download and install the agent on the

device. During the entire installation process no cooperation or engagement of the target

is required (e.g., clicking a link, opening a message) and no indication appears on the

device. The installation is totally silent and invisible and cannot be prevented by the

target. This is NSO uniqueness, which significantly differentiates the Pegasus solution

from any other solution available in the market.

Enhanced Social Engineering Message (ESEM): In cases where the OTA installation

method is inapplicable1, the system operator can choose to send a regular text message

(SMS) or an email, luring the target to open it. Single-click, either planned or

unintentional, on the link will result in hidden agent installation. The installation is entirely

concealed and although the target clicked the link they will not be aware that software is

being installed on their device.

Data Collection

Upon successful agent installation, a wide range of data is monitored and collected from the


Textual: Textual information includes text messages (SMS), Emails, calendar

records, call history, instant messaging, contacts list, browsing history, and more.

Textual information is usually structured and small in size, therefore easier to

transmit and analyze.

Audio: Audio information includes intercepted calls, environmental sounds

(microphone recording) and other audio recorded files.

Visual: Visual information includes camera snapshots, photos retrieval, and screen


Files: Each mobile device contains hundreds of files, some bear invaluable

intelligence, such as databases, documents, videos, and more.

Location: On-going monitoring of the device location (Cell-ID and GPS).

Initial Data Extraction

Once the agent is successfully injected and installed on the device, the following data that

resides and exists on the device can be extracted and sent to the command and control


SMS records

Contacts details

Call history (call log)

Calendar records


Instant Messaging

Browsing history

As opposed to other intelligence collection solutions which provide only future monitoring of

partial communications, Pegasus allows the extraction of all existing data on the device. As a

a result of the organization benefits from accessing historical data about the target, which assists in building a comprehensive and accurate intelligence picture.

Passive Monitoring

From the point the agent was successfully installed it keeps monitoring the device and

retrieves any new record that becomes available in real-time (or at specific condition if

configured differently). Below is the full list of data that is monitored by the agent:

SMS records

Contacts details

Call history (call log)

Calendar records


Instant Messaging

Browsing history

Location tracking (Cell-ID based)

Active Collection

In addition to passive monitoring, upon successful agent installation a wide set of active

collection features become available. Active collection refers to active requests sent by the

operator to collect specific information from the installed device. This set of features are

called active, as they carry their collection upon explicit request of the operator. Active

the collection allows the operator to perform real-time actions on the target device, retrieving

unique information from the device and from the surrounding area of the target, including:

Location tracking (GPS based)

Voice calls interception

File retrieval

Environmental sound recording (microphone recording)

Photo taking

Screen capturing

Active collection differentiates Pegasus from any other intelligence collection solution, as the

operator controls the information that is collected. Instead of just waiting for information to

arrive, hoping this is the information you were looking for, the operator actively retrieves

important information from the device, getting the exact information he was looking for.

Data Transmission

By default, the collected data (initial data extraction, passive monitoring, and active collection)

is sent back to the command and control center in real-time. The data is sent via data

channels, where Wi-Fi is the preferred connection to use when it is available. In other cases,

data is transmitted via cellular data channels (GPRS, 3G,4G and LTE). Extra thought was put

into compression methods and focusing on textual content transmission whenever possible.

The data footprints are very small and usually take only a few hundred bytes. This is to make

sure that the collected data is easily transmitted, ensuring minimal impact on the device and

on the target cellular data plan.

If data channels are not available, the agent will collect the information from the device and

store it in a dedicated buffer, as explained in the Data Collection section.

Data transmission is automatically ceased in the following scenarios:

Low battery: When the device battery level is below the defined threshold (5%) all

data transmission processes are immediately ceased until the device is recharged.

Roaming device: When the device is roaming, cellular data channels become pricy,

thus data transmission is done only via Wi-Fi. If Wi-Fi does not exist, the transmission will

be ceased.

When no data channels are available, and no indication for communication is coming back

from the device, the user can request the device will communicate and/or send some crucial

data using text messages (SMS).

The communication between the agent and the central servers is indirect (through

the anonymizing network), so trace back to the origin is non-feasible.