All you need to know about the Pegasus Spyware

Supratik Mitra | Updated: July 27, 2021, 2:03 PM

Share on:

All you need to know about the Pegasus Spyware

The Pegasus spyware is a military-grade surveillance software developed and sold by an Israeli firm called the NSO. According to the NSO group, the spyware is sold to vetted, verified, and authorised states and state agencies to fight terrorists and law enforcement situations.   

What Information Pegasus Can Access?

Once the device is affected with the malware, the attacker can gain entire control of the device, and the infected device becomes a tapping and tracking equipment. 

Pegasus spyware not only gives the attacker the user’s private chats, phone conversations, contacts, and email, but also uses the device’s GPS feature to track the location of the user. It can send the attacker the user's private data stored on the device such as passwords, calendar events, and even end-to-end encrypted messages. It also gives the attacker control over the device's microphone and video camera. 

Antivirus software might not offer total protection from the Pegasus spyware as the latter only sends scheduled updates to the command and control server, i.e. the attacker. This helps in avoiding detection from antivirus software that might have been installed on the user’s device, and from forensic analysis. The malware can also be deactivated by the attacker remotely, if deemed necessary, making it incredibly hard to detect if a phone was ever or is still infected by the malware. 

What makes the Pegasus Spyware so infectious? 

Generally, malwares needs to be clicked on by the user; like opening an email where the malware is embedded. So, it generally warrants an interaction between the malicious software and the user. 

However, that is not the case with the Pegasus spyware. It allows the attacker to use a series of ‘network injections’ to install the malware on someone’s phone, without needing any interaction by the user. Allowing for a ‘zero click’ attack on anyone. 

One such way is its push-message option, which includes messages from an already installed app on the phone, making the target device load the malware covertly, without having to interact with the user of the device. 

The Pegasus spyware only needs someone’s phone number to carry out its ‘network injection’, the rest is automated by its system. NSO, the firm responsible for creating the malware, has confirmed that this feature of ‘zero-click’ infection makes the Pegasus spyware unique. 

Who has access to the spyware? 

The NSO only sells the spyware to the vetted state and state agencies to assist in national security and law enforcement investigations. The firm has also clearly mentioned that the NSO group does not operate the Pegasus system, and that it can only be deployed by a government operator. 

The spyware can only be deployed against one phone number at a time. Therefore, the tool is not designed for mass surveillance, as clarified by the NSO group.

The Pegasus spyware is sold in the form of a licence to the State or its agency, and its price depends on the contract between the firm and the agency. Reports suggest that the cost of one licence can be as high as Rs 70 lakh which allows you to track multiple smartphones. According to 2016 estimates, for tracking 10 people the NSO group would charge a steep price of Rs 9 crore, which includes an installation fee Rs 3.75 crore, and Rs 4.84 crore to hack 10 devices. 

The Pegasus Project 

Project Pegasus is a collaborative investigative journalism project by 17 news organisations from around the world, along with Paris-based journalism non-profit Forbidden Stories, and Amnesty International, a human rights group. 

Forbidden Stories and Amnesty International got hold of a leaked list of 50,000 contact numbers which were ‘potential surveillance targets’ of the Pegasus Spyware. These included contact details of heads of state, journalists, and human rights activists. 

The list is supposed to be of those, who according to NSO’s clients were potential targets. According to the NSO, its clientele goes across 60 intelligence, military, and law enforcement agencies in 40 countries which they refuse to name. 

The list does not tell us who asked the Israeli firm to put a number on the list. Yet it has been identified that a large number of the contact information are from 11 countries namely, Azerbaijan, Bahrain, Hungry, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, UAE, Togo, and India. 

The list is only a list of ‘potential targets’, which means that all contacts have only ‘probably’ been infected by the virus. One cannot be sure if a contact has been infected until and unless agencies make a proper forensic investigation on the instrument. 

Amnesty International, however, sampled some of the devices related to the contact information and found that attempts were made on a few of the contacts while some were successfully hacked. 

In India, there has been a major roar on social media, and even in the parliament. With many contacts of opposition leaders, and political functionaries showing up on the leaked list. Out of which some were Rahul Gandhi, who had two of his phone numbers listed as potential targets, one added in 2018 before the General Election, and one after the polls, in 2019. 

Political strategist Prashant Kishore, who in recent years has become popular in the political context of India, helping many parties win some important state elections, recently winning in Bengal, also had his number show up on the list. Forensic reports suggested unsuccessful attempts in 2018, again in April 2021, a day before the last phase of the Bengal election, and a third, possibly a successful attempt in June and July 2021. 

Chief Minister of Bengal Mamta Banerjee, who won the last State assembly election in a close battle against the saffron forces, has also been indirectly targeted as her nephew, and close political aide, Abhishek Banerjee along with her private secretary were featured on the list. 

Ashvini Vaishnaw, BJP minister and the current Minister of Railways, and his wife also showed up on the list for having been targeted in 2017, when he was yet a part of the BJP cadre. 

Another BJP minister who was targeted was the Minister of State for Jal Shakti, Prahlad Singh Patel. Not just his number was feature on the list, but so did his wife’s and 15 other close associates. 

Beyond political actors, people related to the case involving Ranjan Gogoi, the ex-Chief Justice of India, and the charges of sexual harassment levelled against him. Over 11 phone numbers of the staffer and her close relatives, who had complained against the erstwhile CJI were also present on NSO’s list. 

Ashok Lavasa, a member of a three-man election commission, was also selected as the potential candidate for surveillance. 

Project Pegasus found that 40 journalists were targeted from India for surveillance, reported the Wire, who is the Indian partner to the collaboration of 17 news organisations involved in bringing the Pegasus story to light. The leaked data includes the numbers of top journalists at big media houses like the Hindustan Times, including executive editor Shishir Gupta, India Today, Network18, The Hindu, and Indian Express, reported The Wire. 

Besides Delhi-based Kashmiri journalists, and a prominent civil society activist critical of official policy towards Jammu and Kashmir, more than 25 people from the Kashmir Valley were selected as potential targets of intrusive surveillance between 2017 and mid-2019, reported The Wire.

Who is to be blamed? 

According to the reports by the NSO, they have strictly maintained that they will not name their clients. However, they confirmed in their “Transparency and Responsibility” report that they sell their product to only approved, verified, and authorised state and state authorities, specifically to be used for national security, and major law enforcement-driven investigation. 

The first finger points at the Israeli firm which has violated human rights concerns of multiple members of civil society for their clients, whoever it might be. The presence of such technology is already a concern for the right to privacy of human rights, and it becomes the firm duty to stop its product from being misused, as they themselves suggest. 

The Pegasus Project at no point suggests that the spyware has not been put to use in relevant situations, yet the list that has been leaked is shocking, considering the names it contains –journalists, activists, and well known political actors. 

The other question is obviously who is the client then? In India, many fingers have been pointed towards the incumbent BJP Government. The reason, one might ask is the fact that the NSO has repeatedly confirmed that their clients are majorly state or agencies of it. Secondly, the question is also about a fortune that using the service from NSO involves. Lastly, and probably the one which holds the allegation much stronger, is the people who have been targeted and the time of when they were added to the list.

Most involve adversaries to the BJP, most evidently people like Congress leader Rahul Gandhi, Prashant Kishore who have fought against the BJP in many elections. Some who have been vocal in their criticism of the parties rule since 2014, like Hany Babu, a professor at the University of Delhi, and accused in the Elgar Parishad case, and many more who have been accused in the case have featured on the list. In such a case, it is most definitely a serious violation of the human rights of the Indian citizenry by its state.

Such allegations only remain as speculation as no evidence of the Modi Government involvement has been traced, but the government response not being a concrete one has only put fuel to such theories. 

Yet another theory that is being speculated is that some other state agency has identified, and is tracking and snooping on Indians, which means that country has huge national security looming over its head. 

The West Bengal Government led by Mamata Banerjee, whose close acquaintances names have been on the list, has now set up a panel of retired to probe the Pegasus phone-hacking scandal. Mamata Banerjee has also previously been very vocal about how much the “surveillance state” is a threat to the democracy of the country, asking the opposition to unite ahead of the 2024 elections. 

A petition has also been filed in the Supreme Court, seeking a court-monitored probe by the Special Investigation Team (SIT) into the reports of alleged snooping by government agencies using Israeli spyware Pegasus over journalists, activists, politicians, and others. The petition filed by advocate ML Sharma, says Privacy is an “essential component of dignity and agency”, asking the judiciary to protect the people’s right to privacy. 

The Government response to the reports and allegations

The Government responded to the questionnaire sent by the consortium of journalists. The Ministry of Information Technology, under the newly appointed minister Ashwini Vaishnav, posed that it has already answered the questions that were asked. 

It pointed to an RTI that was filed raising the questions on the government involvement with NSO groups Pegasus Project. The Ministry claimed that it was sufficient to deny any claims of association of the Government of India with the NSO group. Yet the RTI response that the Government cites does not deny the purchase of the Pegasus spyware or even that it was not considering doing so. The response to the RTI instead read “In this regard, it is informed that no such information is available with the CPIO [Central Public Information Officer].”

The Government also mentions in its response that it has well-established protocols, which are followed while intercepting communication which includes sanctions and supervision from high ranked officers, making sure such procedure is done with the due process of law, and only for the national interest. 

The Government also pointed to the allegation of the use of Pegasus on Whatsapp by the Indian Government where all the parties denied the use of Pegasus in the Supreme Court. Yet it should be noted, even at that time, the erstwhile Minister of MieTy, Ravi Shankar Prasad had never categorically denied or confirmed the purchase of Pegasus by the government, only saying “no unauthorised interception” were made.

It is also interesting to point out that, soon after Whatsapp denied any breach of its software by Pegasus in Indian courts, the company filed a lawsuit against the NSO group for helping government spies break into the phones of about 1,400 users across four continents, in the US courts.

The Government of India pointing to such instances suggested that the current breaking news reports are just another fishing ploy to malign the government without any “concrete basis or truth associated with it whatsoever.”