- WhatsApp, a Facebook-owned messaging app used by more than 1.5 billion people around the world, recently found a major security flaw, the Financial Times reported.
- Hackers reportedly found a way to access users’ phones simply by calling them on WhatsApp, even if the recipient didn’t pick up the call. A record of the call could even be remotely erased, according to reports.
- The WhatsApp exploit enables the installation of software from the NSO Group, a secretive firm from Israel that bills itself as a leader in cyberwarfare and is behind a software tool called Pegasus.
- Pegasus enables users to remotely access everything in an infected smartphone, from text messages to location data – and it’s next to impossible to know whether your phone was infected.
- Visit Business Insider’s homepage for more stories.
For most of us, it’s difficult to know whether our phone has been infected with spyware.
“The really sophisticated stuff is going to be designed to be very light touch and not be very observable by the user,” John Scott-Railton, a senior researcher at The Citizen Lab at the University of Toronto’s Munk School, told Business Insider.
The Citizen Lab is an academic research group that is credited as the first to identify a particularly malicious spying application named “Pegasus.”
Pegasus was created by the NSO Group, an Israeli software company that sells products to governments.
If your phone is infected with Pegasus, it’s nearly impossible to know – and that’s why it was so dangerous that a massive security flaw in the Facebook-owned WhatsApp messaging service, revealed this week by the Financial Times, enabled hackers to install Pegasus on target phones simply by calling them.
What happened with WhatsApp?
On Monday, WhatsApp issued a software update to its more than 1.5 billion users.
The update aimed to patch a massive security flaw in which hackers could infect phones simply by calling them through WhatsApp.
You didn’t need to accept the call, and records of the call could even be erased remotely after the fact – as though burglars virtually broke into your phone, took whatever they wanted, and didn’t leave a trace.
“The way to think about this is like using WhatsApp as a vector,” Scott-Railton told Business Insider. “If indeed this is NSO, their job is to find novel vectors so they can always offer their customers access to phones. And WhatsApp is just another on the list.”
Simply put: The WhatsApp security flaw was a new way for hackers to infect smartphones with malicious software.
WhatsApp fixed its security hole, but not before at least one target was affected: an unidentified UK-based human-rights lawyer.
What is Pegasus?
- Bronek Kaminski/Getty Images
What Pegasus actually does is relatively simple: Once your smartphone is infected with Pegasus, the application provides full access to it, remotely and discreetly.
That includes text messages as well as your smartphone’s camera and microphone. The spyware was created by an Israeli company, the NSO Group, and it’s nothing new.
Pegasus was first discovered in 2016 when a man in the United Arab Emirates named Ahmed Mansoor was targeted with “suspicious text messages,” Scott-Railton said.
“Those text messages actually came bearing some suspicious links,” he said. “We thought they looked pretty dicey, so my colleague Bill [Marczak] borrowed a colleague’s iPhone, clicked on the links, and was able to successfully get the phone infected with what was then a mystery piece of spyware.”
That “mystery” spyware was actually Pegasus, and Mansoor was being targeted – most likely because of his work as a human-rights advocate. Mansoor is serving a 10-year prison sentence in the UAE for publicly criticizing the government.
How do you know whether your phone is infected with spyware like Pegasus? If the hackers are doing their job right, it’s extremely difficult to find out.
- John Gress/Reuters
If your phone is infected with spyware like Pegasus, it probably won’t start suddenly overheating or ripping through battery life. If that were the case, “then the people who did it have not done their jobs right,” Scott-Railton said.
In fact, if you’re not a cybersecurity researcher, it’s nearly impossible to know.
“It’s quite tricky because the software is of course designed to be hard to find,” Scott-Railton said. “What we did in the first instance was we actually captured the network traffic going into the phone after the [link] was clicked, and that gave us the infection.”
Unless you’re monitoring the network traffic going into your smartphone and also are savvy enough to know what type of network traffic could demonstrate malicious behavior, it’s unlikely that you’d catch spyware like Pegasus running on your device.
Who makes Pegasus? And how is it used?
- CBS News/60 Minutes
Pegasus is intended as a cyberweapon for use by international governments.
An Israeli company named NSO Group operates it, and the Israeli Ministry of Defense is said to regulate sales of the software outside Israel.
“We are selling Pegasus in order to prevent crime and terror,” NSO Group CEO Shalev Hulio told “60 Minutes” in an interview earlier this year. “Intelligence agencies came to us and say: ‘We do have a problem. With the new smartphones, we can’t get valuable intelligence.'”
An unnamed European security official confirmed to “60 Minutes” that NSO Group software had been used to thwart terrorist attacks in Europe.
“It wouldn’t surprise me to know that some of NSO’s claims about being used to go after criminals are correct,” Scott-Railton told Business Insider on Wednesday. “The issue is that the fact that it’s used lawfully doesn’t falsify all these abuse cases.
What are some Pegasus abuse cases?
- Tomas Bravo/Reuters
Pegasus has been linked to the death of the Saudi journalist Jamal Khashoggi, and it was used to track a student in Canada who was critical of Saudi Arabia’s government.
“His name is Omar Abdulaziz,” Scott-Railton said. “He’s a Saudi critic going to college in Montreal. We found that his infected phone was bouncing back and forth between his home network and his university gym over last summer.”
A similar story played out in Mexico in 2017, according to Scott-Railton:
“We had this crazy case that I found in Mexico back in 2017 where three people – a nutrition activist, a public-health researcher, and a consumer advocate – were all targeted with Pegasus in Mexico.
“The only thing that holds them in common is that they were all advocating to slightly increase the tax on soda beverages. So the most reasonable implication is that somebody from a private interest directed somebody from the government in order to target these people because they were pushing against the soda lobby in Mexico. State-grade malware – it’d be like targeting somebody with Stuxnet because they had suggested there be a 10-cent bottling fee on Coca-Cola.”
What can you do?
First and foremost, you should update WhatsApp to seal up that security hole.
“We’re reasonably satisfied that we watched WhatsApp block an infection attempt,” Scott-Railton said.
He also encouraged people to not lose faith in encrypted messaging apps like WhatsApp simply because of a single security flaw. “Users should not lose confidence in encrypted messaging at all,” he said. “Encrypted messaging is important.”
Beyond that, there’s little else you can do outside giving up on smartphones altogether.
Scott-Railton offered a final warning: “Readers should be concerned that there are companies finding, stockpiling, and selling these really powerful vulnerabilities that make us all less secure.”