What is Pegasus spyware, how it works, and how it hacks into WhatsApp

Pegasus is in the news again. Last we heard of it in India was in 2019 when some WhatsApp users — including journalists and activists — received messages from WhatsApp telling them that Pegasus compromised their phones. Although, one can say that the Pegasus spyware never really went out of the news. It is apparently used so frequently by various governments across the world that almost every few months there are reports of how a phone was hacked using it.

On Sunday evening, a number of prominent news websites, including the Guardian and the Washington Post, published details of what they called global surveillance operations using Pegasus. The surveillance reportedly targets journalists, including over 40 journalists in India, activists and other key public figures. The reports say that over 10 governments, including India, are involved in surveillance of people using Pegasus spyware. India, in a statement to the Guardian, called the Guardian report "fishing expedition, based on conjectures and exaggerations to malign the Indian democracy and its institutions." However, the country, in its statement to the Guardian, did not categorically deny using Pegasus.

NSO Group in the statement to the Guardian called its report — titled The Pegasus Project — an attempt to discredit NSO Group on false grounds. "NSO does not operate the systems that it sells to vetted government customers, and does not have access to the data of its customers' targets," the company noted in its lengthy statement to the British news website.

So, what is Pegasus, and how does it work? And should you worry about it? Facts first, as in the bits we know for certain.

Pegasus is a spyware developed by NSO Group, an Israeli company that specialises in what experts call cyber weapons. It first came to the limelight in 2016, when an Arab activist got suspicious after receiving a shady message. It was believed that Pegasus was targeting iPhone users. Several days after its discovery Apple released an updated version of iOS, which reportedly patched the security loophole that Pegasus was using to hack phones.

However, a year later, security researchers found that Pegasus was equally capable of infecting Android phones. More security patches and more information trickled. Then in 2019, Facebook filed a case against NSO Group for creating Pegasus. The security researchers at Facebook were chasing Pegasus across their systems, and they found that the software was used to infect several journalists and activists in India. This was also the time when WhatsApp told the affected Indian users about it through a message.

2019 to 2021, so why are we still writing about Pegasus? This is probably because the spyware has been called the "most sophisticated" phone hacking tool ever and because it has been used so frequently that we are still hearing stories about its victim.

It is worth noting that NSO Group has confirmed the existence of Pegasus. However, the Israeli company has also said that it sells the tools only to governments and that it is not responsible for its misuse.

How does Pegasus hack a phone?

This part of Pegasus hacking into phones is one reason why this spyware is so highly rated by those who use it. The phone hacking is almost seamless and the phone user has no clue that their device has been compromised.

Once a hacker identifies a phone that needs to hacked into, they send the targeted user a malicious website link, and if the user clicks on it, Pegasus is installed on the phone. It is also installed through a security bug in voice calls made through apps like WhatsApp. In fact, so potent and secretive is this call method that Pegasus could be installed on the phone just by giving a missed call to the user. Once, the software was installed it would delete the call log entry so that the user wouldn't know about the missed call.

What could Pegasus do?

Once Pegasus is on a phone, it can potentially spy on the targeted user completely and thoroughly. Even encrypted chats like the ones made through WhatsApp were accessible to Pegasus. Security researchers have found that Pegasus can read messages, track calls, track user activity within apps, gather location data, access video cameras in a phone, or listen through their microphones.

Here is What Kaspersky researchers wrote in 2017:

Let's be clear: We're talking total surveillance. Pegasus is modular malware. After scanning the target's device, it installs the necessary modules to read the user's messages and mail, listen to calls, capture screenshots, log pressed keys, exfiltrate browser history, contacts, and so on and so forth. Basically, it can spy on every aspect of the target's life. It's also noteworthy that Pegasus could even listen to encrypted audio streams and read encrypted messages — thanks to its keylogging and audio recording capabilities, it was stealing messages before they were encrypted (and, for incoming messages, after decryption).

In other words, this is the ultimate surveillance tool. If a government wants to spy on someone, Pegasus, or something like this, will most likely be its preferred choice.

At the same time, Pegasus was a smart spyware. It took every measure to avoid detection while it was spying on a user. Again, this is what Kaspersky researchers wrote:

"Another interesting fact about Pegasus is that it tries to hide itself really diligently. The malware self-destructs if it is not able to communicate with its command-and-control (C&C) server for more than 60 days, or if it detects that it was installed on the wrong device with the wrong SIM card (remember, this is targeted spying; NSO's clients weren't going after random victims)."

What is the current status of Pegasus?

So, what is going on with Pegasus now, and should you worry about it? As far as the classic Pegasus is concerned, it is no longer that useful. All the buzz around it nowadays is because of its past exploits and not the current ones. When information about it became public, Apple patched the iOS 9 to fix the loopholes the spyware was using to hack into an iPhone. When details of Pegasus targeting WhatsApp and Android became public, Google and WhatsApp patched the security holes that Pegasus was exploding.

In other words, if you have an iPhone running iOS 14 or a phone with Android 11, and you have the latest version of the key apps like WhatsApp installed on your phone, you do not have to worry about classic Pegasus.

But that doesn't mean your phone is hack-proof. There is no computer or phone that is hack-proof. Software like Pegasus uses zero-day security holes to infect devices. This means that they use security holes in phones, computers and apps that even companies like Google, Apple, Facebook and others do not know.

NSO Group still exists, and it is possible that so does an updated version of Pegasus, or some other spyware that the public doesn't know about.

But yes, classic Pegasus is not something one should worry about in 2021.

Also, it is important to note that a spyware app like Pegasus is extremely expensive. The cost is in millions of dollars, which can only be paid by big organisations or governments. In fact, NSO Group has said in the past that it sells its software only to governments. Pegasus like tools are not mass surveillance tools. They are used for targeted surveillance. So, unless you believe that a government or a powerful organisation has reasons to put you under surveillance, you shouldn't worry about tools like Pegasus.