"This powerful off-the-shelf phone-hacking tool is spreading" 18 September 2018

Researchers at internet watchdog Citizen Lab have found that a sophisticated piece of spyware designed to break into most commercially available smartphones is now in use in 45 countries. Pegasus, designed by Israeli security firm NSO Group, has been pitched as a so-called “lawful intercept” tool for governments with highly questionable human rights records like Bahrain, United Arab Emirates, and Saudi Arabia.

Now, says Citizen Lab, it’s infecting smartphones in countries like the U.S., Canada, and France.

Pegasus, which is considered the most sophisticated commercial spyware to be made public, has for several years been implicated in efforts to surveil activists, journalists, and lawyers in Mexico, Panama, and many countries. Last year, Citizen Lab senior researcher John Scott-Railton told Fast Company that once downloaded onto a phone (via a website link in a text message or email), the software can do anything that users can do, including read text messages, turn on the camera and microphone, add and remove files, and manipulate data...

According to a 2016 price list, NSO charges customers $650,000 to hack 10 devices, on top of a $500,000 installation fee.

Coming only a few months after Pegasus was named in an attempt to hack an Amnesty International staffer’s phone, and weeks after the New York Times reported that NSO Group was hacking journalists to impress clients, Citizen Lab’s new report describes a broader reach than previously thought...

...Despite Citizen Lab’s persistent research, NSO Group appears to operate as though it is business as usual. Given the chance to respond to Citizen Lab’s report prior to its release, NSO Group cofounder Shalev Hulio insisted Pegasus is “licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror,” and that the business complies with “applicable export control laws.”..

More from the Citizen Lab Report "Hide and Seek":

...Scanning, Clustering, and DNS Cache Probing

In August 2016, award-winning UAE activist Ahmed Mansoor was targeted with NSO Group’s Pegasus spyware. We clicked on the link he was sent and obtained three zero-day exploits for the Apple iPhone, as well as a copy of the Pegasus spyware. We fingerprinted the behaviour of the exploit link and C&C servers in the sample sent to Mansoor, and scanned the Internet for other matching front-end servers. We found 237 servers. After we clicked on the link, but before we published our findings on August 24, NSO Group had apparently taken down all of the Pegasus front-end servers we detected. In the weeks after our report, we noticed a small number of Pegasus front-end servers come back online, but the servers no longer matched our fingerprint. We developed a new fingerprint and began conducting regular Internet scans.

Between August 2016 and August 2018, we detected 1,091 IP addresses and 1,014 domain names matching our fingerprint. We developed and used Athena, a novel fingerprinting technique to group most of our results into 36 distinct Pegasus systems, each one perhaps run by a separate operator.

We next sought to identify where these Pegasus systems were being used. We hypothesized that devices infected with Pegasus would regularly look up one or more of the domain names for the operator’s Pegasus front-end servers using their ISP’s DNS servers. We regularly probed tens of thousands of ISP DNS caches around the world via DNS forwarders looking for the Pegasus domain names.

Our Findings

We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia. As our findings are based on country-level geolocation of DNS servers, factors such as VPNs and satellite Internet teleport locations can introduce inaccuracies..