News & AnalysisNewsletterSecurity

Pegasus Spyware: A Wakeup Call for Internet Security Leaders


The attacks using spyware to hack data of influential people and businesses may soon become a trend. A report by The Wire reveals on Sunday night that spyware Pegasus has targeted at least 40 Indian journalists, from well-known media organizations. Indian ministers, government officials and opposition leaders also figure in the list of people whose phones may have been compromised by the spyware, it said.

Pegasus, a product of Israeli cyber weapons company NSO Group is a spyware that can log your keystrokes, screenshot your screen and take control of your apps. It first made headlines in 2016 when it was revealed that it unsuccessfully attempted an attack on the device of UAE human rights activist Ahmed Mansoor. He received text messages on his iPhone promising ‘new secrets’ about tortured prisoners in the country if he opened a link in the SMS. Instead of following the instructions, Mansoor sent the messages to researchers at Citizen Lab, who traced the origin of the links back to infrastructure belonging to the NSO Group.

In May 2019, WhatsApp brought the matter to light when it sued Israeli spyware maker NSO Group for its Pegasus spyware that was allegedly used to snoop on journalists, activists, lawyers and senior government officials in 20 countries around the world, hacking into phones of roughly 1,400 users around the world, including 121 Indians.

Calling it as an attack of freedom to India, Nikhil Pahwa is an Indian journalist and digital rights activist says that surveillance by governments using Pegasus is not uncommon. “We’ve known about Pegasus since 2016. First known use in India that we know about was in Bhima Koregoan, allegedly by the Indian government,” he tweets.

Pegasus exploits the vulnerabilities of your mobile device operating system which makes it so powerful that it can extract information from all apps on your phone including iMessage, WhatsApp, Gmail, Viber, Facebook, Skype and locations. The NSO Group has categorically denied all allegations of wrongdoing and said that it sold Pegasus only to “vetted and legitimate government agencies”.

Pahwa alleges that the Indian government has used Pegasus to spy on noted people, as the company only sells to vetted governments. However, the Ministry of Electronics and Information Technology has called the snooping allegations ‘false and malicious’ and said that there has been no unauthorized interception by government agencies.

Condemning it as a strong case of human rights abuse, WhatsApp head Will Cathcart mentions on Twitter, “NSO’s dangerous spyware is used to commit horrible human rights abuses all around the world and it must be stopped”.

NSO allegedly first created fake WhatsApp accounts, which were then used to make video calls. When an unsuspecting user’s phone rang, the attacker transmitted the malicious code and the spyware got auto-installed in the phone even if the user did not answer the call.

Through Pegasus, the attacker then took over the phone’s systems, gaining access to the user’s WhatsApp messages and calls, regular voice calls, passwords, contact lists, calendar events, phone’s microphone, and even the camera.

“They rely on unknown vulnerabilities in mobile OS, which is one of the reasons why we felt it was so important to raise awareness of what we’d found,” he says.

“The depth and breadth of this extraordinary effort to spy on journalists and activists is an appalling example of the lengths governments will go to silence and intimidate their critics,” said PEN America’s digital freedom director Matt Bailey. “But it is also a reminder that these capabilities are too often developed and supported by a growing array of callously profit-motivated commercial providers who sell these dangerous technologies to whoever is willing to pay.

Amnesty International’s Security Lab also carried out an in-depth forensic analysis of several mobile phones of human rights defenders and journalists from around the world to find out that Pegasus’s surveillance is not just a violation of user privacy, it also goes against human rights.

According to the forensic methodology report by Amnesty, Apple’s iPhone is the easiest to spy on using the Pegasus software. The leaked database shows that iPhones running iOS 14.6 contain a zero-click iMessage exploit and this exploit could have been used to install Pegasus software on the iPhone devices of the targeted entities. This exploit was discovered by Citizen Labs previously. Known as KISMET,  it allowed the installation of the Pegasus software for the purpose of complete surveillance. The exploit was patched through an urgent software update that Apple released, but it seems like the exploit remains there dormant until a zero-click is fired.

Pegasus can be installed on a target’s phone in many ways, in some cases by sending infected links to targets (spear phishing), social engineering, believe experts. The key question is, however, “Can such software be used in future by terrorist organisations, to attack individuals, businesses and nations?” Also “are we prepared for any such attacks?”

As Pahwa notes, “Cybersecurity threats and cyber surveillance are here to stay. There is a weaponization of cyberspace that is taking place at an alarming pace. We need the UN to step in. We need disarmament of the cyberspace. No one will ever feel secure to have trusted communications.

In this context, L Subramanyan, noted journalist and Founder and CEO of Trivone discusses the implications of such attacks in a corporate structure.

According to him, “While the NSO group may claim today that it only sells to Governments, there is no system that can actually verify the claim, not just for NSO but for every creator of spyware or malware. Consequently, how do we hold the spyware creators accountable when they have the overt and covert support of governments across the world?”

Quoting a Microsoft data, he explains that IT companies are targeted around 44% of the time as compared to Governments which account for only 18% of the cyberattacks. This raises the stakes for the purveyors of technology as they continue to remain the most vulnerable from the Private Sector Offensive Actors (PSOA) who are the creators of the spyware in the first place. This also means that the tech they sell, be it Cloud solution, Enterprise applications, Collaboration solutions et al are the primary targets of the spyware.

“This also means that customers of these tech companies should be a worried lot as their technology provider could be hacked anytime which will impact their (the enterprise customer’s) businesses. And this could be from the Government agencies, private hackers, lone-wolf cyber punks or in some cases, even their own competitors,” Subramanyan says.

Karmesh Gupta, CEO, WiJungle, believes, “At an individual level there is no way to secure oneself from Pegasus except keeping OS and mobile apps updated. The vulnerabilities need to be fixed by OS and mobile apps developers to prevent invasion of sophisticated & zero click spyware like Pegasus.”

“In order to prevent oneself from an ordinary spyware, he/she shall avoid clicking links sent in msg and emails by an unknown sender. Similarly the internet calls from unknown senders shall be refrained. Second, if one is a victim then the only way to get free from it is to delete all apps and discard using that device,” recommends Gupta.

“This is a wakeup call for security on the internet. The mobile phone is the primary computer for billions of people. Governments and companies must do everything they can to make it as secure as possible. Our security and freedom depend on it,” Cathcart adds.

It is time the government and corporate entities take spyware and other cyber attack seriously and gets ready for a ‘surveillance reform’ soon.

Leave a Response

Sohini Bagchi
Sohini Bagchi is Editor at CXOToday, a published author and a storyteller. She can be reached at