Spy apps may have been designed so that parents can watch over their kids, but that’s not where it stops. These sneaky apps can be used by boyfriends, girlfriends, family members, governments or even suspicious employers. So, if someone you know seems to know a little too much about your life, they could be spying on you right now.
Apple iPhone and iPad users and a few android phone users usually believe they are safe. There’s no malware for iOS and android, they say. Apple does little to discourage the impression — the “fruit company” doesn’t even allow antivirus solutions in its App Store, because, you know, allegedly they’re not needed.
The keyword here is allegedly. There actually is malware in the wild that targets iOS users — it’s been proved a number of times, and in August 2016 researchers proved it again by revealing the existence of Pegasus, spyware capable of hacking any iPad or iPhone,android phone, harvesting data about the victim, and establishing surveillance on them. That discovery made the whole cyber security world… uneasy
However an anonymous report has risen the tension after it was concluded that this software was the same software used in the tracking and implementation of murder of Jamal Khashoggi a re-known pro Saudi government journalist who also doubled as New York times writer of anyone’s safety ,information ,emails,photos,texts,calls.
And then at the end of this post, there is a pretty important link to a tip that tells you how to remove any spy apps that might be on your phone.
In this post, we publish a report developed on new Internet scanning techniques to identify 45 countries in which operators of NSO Group’s Pegasus spyware may be conducting operations
- Between August 2016 and August 2018, we scanned the Internet for servers associated with NSO Group’s Pegasus spyware. We found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. We developed and used Athena, a novel technique to cluster some of our matches into 36 distinct Pegasus systems, each one which appears to be run by a separate operator.
- We designed and conducted a global DNS Cache Probing study on the matching domain names in order to identify in which countries each operator was spying. Our technique identified a total of 45 countries where Pegasus operators may be conducting surveillance operations. At least 10 Pegasus operators appear to be actively engaged in cross-border surveillance.
- Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation. At least six countries with significant Pegasus operations have previously been linked to abusive use of spyware to target civil society, including Bahrain, Kazakhstan, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates.
- Pegasus also appears to be in use by countries with dubious human rights records and histories of abusive behaviour by state security services. In addition, we have found indications of possible political themes within targeting materials in several countries, casting doubt on whether the technology is being used as part of “legitimate” criminal investigations.
1. Executive Summary
Israel-based “Cyber Warfare” vendor NSO Group produces and sells a mobile phone spyware suite called Pegasus. To monitor a target, a government operator of Pegasus must convince the target to click on a specially crafted exploit link, which, when clicked, delivers a chain of zero-day exploits to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity.
Pegasus exploit links and C&C servers use HTTPS, which requires operators to register and maintain domain names. Domain names for exploit links sometimes impersonate mobile providers, online services, banks, and government services, which may make the links appear to be benign at first glance. An operator may have several domain names that they use in exploit links they send, and also have several domain names they use for C&C. The domain names often resolve to cloud-based virtual private servers (we call these front-end servers) rented either by NSO Group or the operator. The front-end servers appear to forward traffic (via a chain of other servers) to servers located on the operator’s premises (we call these the back-end Pegasus servers).
Scanning, Clustering, and DNS Cache Probing
In August 2016, award-winning UAE activist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware. We clicked on the link he was sent and obtained three zero-day exploitsfor the Apple iPhone, as well as a copy of the Pegasus spyware. We fingerprinted the behaviour of the exploit link and C&C servers in the sample sent to Mansoor, and scanned the Internet for other matching front-end servers. We found 237 servers. After we clicked on the link, but before we published our findings on August 24, NSO Group had apparently taken down all of the Pegasus front-end servers we detected. In the weeks after our report, we noticed a small number of Pegasus front-end servers come back online, but the servers no longer matched our fingerprint. We developed a new fingerprint and began conducting regular Internet scans.
Between August 2016 and August 2018, we detected 1,091 IP addresses and 1,014 domain names matching our fingerprint. We developed and used Athena, a novel fingerprinting technique to group most of our results into 36 distinct Pegasus systems, each one perhaps run by a separate operator (Section 2).
We next sought to identify where these Pegasus systems were being used. We hypothesized that devices infected with Pegasus would regularly look up one or more of the domain names for the operator’s Pegasus front-end servers using their ISP’s DNS servers. We regularly probed tens of thousands of ISP DNS caches around the world via DNS forwarderslooking for the Pegasus domain names (Section 3).
We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies.
In 2017, we discovered, by retrospectively inspecting their text messages, that dozens of Mexican lawyers, journalists, human rights defenders, opposition politicians, anti-corruption advocates, and an international investigation operating in Mexico were targeted in 2016 with links to NSO Group’s Pegasus spyware. The Mexico revelations sparked a major political scandal, #GobiernoEspía, and an ensuing criminal investigation, ongoing as of the date of this report. Even after our prior reporting on the abuse of the Pegasus spyware in Mexico, it appears that there are three separate operators who operate predominantly in Mexico as of July 2018.
Gulf Cooperation Council (GCC) Countries
We identify what appears to be a significant expansion of Pegasus usage in the Gulf Cooperation Council (GCC) countries in the Middle East. In total, we identify at least six operators with significant GCC operations, including at least two that appear to predominantly focus on the UAE, one that appears to predominantly focus on Bahrain, and one with a Saudi focus. Three operators may be conducting surveillance beyond the MENA region, including in Canada, France, Greece, the United Kingdom, and the United States.
The GCC countries are well known for abusing surveillance tools to track dissidents. In August 2016, UAE activist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware after previously being targeted with spyware from FinFisher and Hacking Team. Bahrain is noteworthy for compromising journalists, lawyers, opposition politicians, and pro-democracy activists with FinFisher’s spyware between 2010 and 2012. In May and June 2018, Amnesty International reported that an Amnesty staffer and a Saudi activist based abroad were targeted with NSO Group’s Pegasus spyware. The same operator responsible for that targeting appears to be conducting surveillance across the Middle East, as well as in Europe and North America. Saudi Arabia is currently seeking to execute five nonviolent human rights activists accused of chanting slogans at demonstrations and publishing protest videos on social media.
Other Country Contexts
We identify five operators focusing on Africa, including one that appears to be predominantly focusing on the West African country of Togo, a staunch Israel ally whose long-serving President has employed torture and excessive force against peaceful opposition. The operator in Togo may have used websites with names like “nouveau president” (“new president”) and “politiques infos” (“political information”) to infect targets with spyware. A separate operator that appears to focus on Morocco may also be spying on targets in other countries including Algeria, France, and Tunisia. We identify several operators operating in Israel: four that appear to operate domestically1 and one that appears to operate both in Israel, as well as other countries including the Netherlands, Palestine, Qatar, Turkey, and the USA.
2. Fingerprinting Pegasus Infrastructure
This section describes how we traced Pegasus infrastructure, from our initial discovery in 2016 until the present.
We first began tracking NSO Group’s Pegasus spyware after the operators of UAE threat actor Stealth Falcon (later revealed to be UAE cybersecurity company DarkMatter) inadvertently gave us visibility into Pegasus infrastructure by registering a domain name whose homepage included a Pegasus link, using the same email address as a domain for a separate PC spyware product we were tracking. In August 2016, UAE activist Ahmed Mansoor was targeted with Pegasus with a text message sent to his iPhone. We clicked on the link provided in the message and obtained three zero-day exploits for Apple iOS 9.3.3, as well as a copy of the Pegasus spyware. We disclosed the exploits to Apple, which quickly released a patch blocking the Pegasus spyware. According to our scans, all of the Pegasus servers we detected (except for the C&C servers in the sample sent to Mansoor) were shut down at least two days before we published our results.
Fingerprinting in 2016: Decoy Pages
When we sought to build fingerprints for Pegasus infrastructure in 2016, we scanned the Internet for
/Support.aspx, for which Pegasus servers returned decoy pages. A decoy page is a page shown when there is an undesired remote landing on a spyware server and is designed to convince the user that they are viewing a normal, benign website. However, because the functionality for showing decoy pages typically resides in the spyware server’s code and likely nowhere else, it is often trivial for researchers to build fingerprints for decoy pages, and scan the Internet for these fingerprints to identify other servers associated with the same spyware system, including perhaps the servers of other operators, if the same spyware system is used by multiple operators.
Fingerprinting in 2017 and 2018: No More Decoys
After our August 2016 report, NSO Group apparently removed the
/Support.aspx decoy pages, and further modified their server code to close an incoming connection without returning any data unless presented with a valid exploit link or other path on the server. This change is in line with changes made by competitors FinFisher and Hacking Team, after we disclosed how we fingerprinted their hidden infrastructure with decoy pages.
After studying the behavior of several suspected new Pegasus servers, we developed fingerprints ξ1, ξ2, and ξ3, and a technique that we call Athena.2 Fingerprint ξ1 is a Transport Layer Security (TLS) fingerprint. Fingerprints ξ2 and ξ3 represent two different proxying configurations we observed. We considered a server to be part of NSO Group’s infrastructure if it matched ξ1 and also one of ξ2 or ξ3. We then used Athena to group our fingerprint matches into 36 clusters. We believe that each cluster represents an operator of NSO Pegasus spyware, though it is possible that some may represent demonstration or testing systems. As we have done in the past when reporting on vendors of targeted malware, we have chosen to withhold publication of specific fingerprints and techniques to prevent harm that may result from external parties generating a list of NSO Group domains using these methods.
Charting the Rebirth of Pegasus
NSO Group apparently told business associates that our August 2016 report and disclosures of their exploits to Apple “…disrupted their work for around 30 minutes before they…resumed operations.” Our scanning of NSO Group’s infrastructure tells a somewhat different story (Figure 4).
Twelve of the servers that were shut down before we published Million Dollar Dissident (we call these Version 2 servers) were back online in a September 25, 2016 scan and stayed online mostly continuously until an August 10, 2017 scan. These may have been C&C servers for clients that wished to continue monitoring old infections. We saw the first Version 3server in a September 5, 2017 scan, less than two weeks after Million Dollar Dissident. Approximately one month after Million Dollar Dissident, we saw what appeared to be seven operators online. Two months after our report, we saw 14 operators online.
3. DNS Cache Probing Results
This section describes the results of our DNS Cache Probing study to identify suspected Pegasus infections (see Section 4 for study details, as well as the definition of a “suspected infection”).
We used the technique that we call Athena to cluster the IP addresses that matched our Pegasus fingerprints into what we believe are 36 distinct operators; each operator makes use of multiple IP addresses. We give each operator an Operator Name drawn from national symbols or geographic features of the country or region that appears to be targeted. For each IP address used by the operator, we extracted a domain name from its TLS certificate. We coded the domain names to generate a Suspected Country Focus and assessed whether there were Political Themes in the domains, which might suggest politically motivated targeting. We then performed DNS cache probing to generate a list of countries in which there are Possible Infections associated with the operator.
Operators Focusing on Africa
We identified five operators that we believe are focusing on Africa. One operator that we call REDLIONS uses frontend domains that appear to be almost exclusively written in the French language, including two politically themed domains (politiques-infos[.]info and nouveau-president[.]com). We found DNS cache probing hits for REDLIONS in Togo. Because we did not perform our DNS cache probing study until July 2018, we did not have the opportunity to probe one operator, AK47, which shut down in July 2017. Operators ATLAS and GRANDLACS also made use of politically themed domains (ATLAS used revolution-news[.]coand GRANDLACS used politicalpress[.]org).
|Operator name||Dates operator was active||Suspected country focus||Political themes?||Suspected infections|
|REDLIONS||Mar 2017 – present||–||Yes||Togo|
|ATLAS||Aug 2017 – present||Morocco||Yes||Algeria, Cote d’Ivoire, France, Morocco, Tunisia, UAE|
|GRANDLACS||Jun 2017 – present||Great Lakesregion of Africa||Yes||Kenya, Rwanda, South Africa, Uganda|
|MULUNGUSHI||Feb 2018 – present||Zambia||–||South Africa, Zambia|
|AK47||Dec 2016 – Jul 2017||Mozambique||–||–|
Do you like this story ?Share it with a friend