Since I last wrote about the NSO Group’s Pegasus mobile spyware last summer, there have been several new developments that show just how insidious the software is and how pervasive its use around the world.
Pegasus can be placed directly onto a target’s smartphone without any user interaction and can then start tracking a phone’s location and operations. Last year a consortium of journalists revealed who was using the spyware after doing extensive forensic research on dozens of phones. This resulted in the US Commerce Department putting NSO on a block list, the DoJ beginning investigations and Apple suing the company. Then we saw two developments from last December: first, Apple notified a bunch of US State Department employees in Uganda that their phones have been hacked. And Pegasus was found to be used to track Jamal Khashoggi and residue was found on one of his wives’ phones.
There were other reports that the FBI had tried out Pegasus but didn’t actively use it, or at least not that anyone could prove. And that a security researcher had decompiled several code samples and documentation.
Just recently, the Citizen Lab — one of the research groups involved in last summer’s project — found more cases of Pegasus used on dozens of Catalan phones, probably at the direction of various government entities in Spain. One of the researchers found a previously-unknown iOS zero-click exploit. The more we find out about Pegasus, the more I am convinced this tool spells trouble.
Again, I want to emphasize that your chances of getting infected with Pegasus are very, very low. But it does seem to crop up frequently enough, and now in places that you would think would be curious as they are free, democratic countries. NSO representatives continue to maintain that they carefully vet their potential customers and say its software is intended to investigate terrorists and potential criminals. But given that its residue has been found on phones of political figures, journalists and human rights workers, I wonder how careful this vetting process really is.