In Greek mythology, the winged horse Pegasus helped a hero dispatch a monster. In the realm of cybersecurity, Pegasus is the monster. It is malicious spyware that can infect your smartphone, whether Android or Apple, and give hackers access to everything your phone holds.
Pegasus does this by subverting your smartphone to watch and record you through the phone’s camera. It can switch on the microphone in your device and record your conversations. It can copy your messages, record your calls, and extract all your images.
The brainchild of an Israeli company, NSO Group, Pegasus can infect a phone running on an iOS or Android operating system without requiring the victim to fall for a spear-phishing attack (text or emails that lure you into clicking a malicious link). It can infect your device whenever you place a WhatsApp call to a target device. But you don’t even have to actively do anything to be a victim. Pegasus can also get into your smartphone by remotely exploiting defects in your operating system.
Developed to combat terrorists, Pegasus has been sold to regimes and perhaps private purchasers around the world to target journalists and dissidents.
For example, after Mexico purchased Pegasus, someone used it to locate Cecilio Pineda Birto, a journalist. Hours after Pineda accused a state police force and local politicians of conspiring with violent criminals, he was gunned down while he waited for his car to come out of a carwash. Data leaks reveal that 26 Mexican journalists were at least targets of interest by a buyer of this technology in 2016 and 2017.
Pegasus, sold to Saudi Arabia, has been found by forensic analysts on the phone of the wife of murdered dissident Jamal Khashoggi.
And this week, Pegasus has roiled the politics and law enforcement of its country of origin. On Monday, it was revealed that Pegasus was used against Israeli citizens and politicians by investigators looking to prosecute former Israeli Prime Minister Benjamin Netanyahu for accepting illicit gifts. Naftali Bennett, the current Israeli Prime Minister, said Pegasus was meant to be used against terrorists and major criminals, not to be used against the Israeli public or officials.
In the United States, the FBI purchased Pegasus in 2019. So far it claims to have kept it under lock and key in an office in New Jersey. The U.S. Commerce Department acted against this spyware’s developer, NSO, putting it on a list of foreign companies that restricts the ability of U.S. companies to work with it. But it remains to be seen whether a U.S. administration will succumb to the temptation to use this digital master key to unlock data on the phones of its perceived opponents—or has already done so and is just waiting to be outed for such a breach.
International alarm, at least, is heightening, generating pushback from businesses, governments, and NGOs. Apple, outraged at the compromising of its system which the company has labored to keep secure, launched a lawsuit against NSO late last year. In Israel, authorities are now investigating the investigators. And the Electronic Frontier Foundation has set out a well-reasoned set of policy recommendations, beginning with a call to smartphone developers and governments to do a better job of providing strong encryption and device security.
The problem with Pegasus, as with cell-site simulators, facial recognition technology, and other privacy nightmares, is that this technology raced ahead of policy. The Israeli government should never have allowed something this lethal to be unleashed commercially as a weapon on the world market. Now Pegasus has the potential to be the cybersecurity equivalent of Covid. It may take years to safeguard smartphones and other devices. In the meantime, if you are concerned that your device may be infected, there are steps you can take to see if Pegasus spyware is in your phone.