Pegasus, Zero Day and Spyware stories

10 August 2016. Ahmed Mansur, a human rights activist in the United Arab Emirates, received an SMS from an unknown number on his iPhone 6. Its content is much like this: ‘Torture of prisoners in Dubai jail-link…’.

Mansur has received such messages many times in his life. By opening such messages, you have become a victim of malware. So after seeing the SMS, he understood that the message was actually a kind of virus or malware. So the next day he sent the phone to The Citizen Lab, a laboratory at the University of Toronto. The Citizen Lab, Lookout, and malware experts from around the world began researching the new link. The purpose was to find out if it was a virus at all. If the virus is how it targets secure modern phones like the iPhone 6.

Their research was completed within five days. Researchers understand that this is a spyware called Pegasus. Probably the most sophisticated spyware in the world.

What can Pegasus do?

Clicking on the link sent to the victim launches a website in the iPhone’s default browser. The browser shuts down before the website loads. To the average user, nothing seems to have happened, the phone is as it was. But if you analyze the network of the phone, you can see that every moment the iPhone is sending a lot of data to an external server. That data is actually live recording, call recording of the phone’s microphone and camera. Besides, messages and calls of various popular social media apps including Facebook, WhatsApp, Emo, Viber are going to that server. Even the device’s GPS location, SIM card information, etc. Are being smuggled along with the phone’s connection to the Internet. This means that Pegasus is not malware or malicious software. It is a spyware to monitor a victim.

This is not the end. Researchers have analyzed the code of Pegasus and found that this spyware has a self-destructive mechanism. In other words, when a special message comes from the server, Pegasus completely deletes its existence, including the message sent first. Also, if Pegasus is disconnected from the server for more than 24 hours, it will destroy itself.


Spyware is nothing new in the 21st century. Such surveillance viruses have been used before. 2000 The US intelligence agency FBI conducts mass surveillance with such software. But the better the operating system of the phone or computer, the more secure it becomes. So how does such powerful spyware work in the most modern iOS? The answer is Zero Day Vulnerability.

Suppose I created an app. Calculator app. With that simple addition-subtraction can be multiplied-divided. Suppose a user is working with this calculator. He divided a number by 0 (zero). It is not possible to do numbers or code language. As a result, the app crashed. This is because if you divide the code by 0, it will show an error, but it will not try to share. No such logic is given. This is a weakness of my calculator app.

The word ZeroDay, on the other hand, means that this bug or vulnerability is not known to the app developer. If you find out, you must easily correct the code and send the update. But the question may be, how can a hacker take advantage of this weakness?

The matter is a little more complicated. It will take some idea of ​​how the operating system works to explain it. A computer or phone stores the code and data of its operating system and other apps in its memory or RAM. However, for security reasons, an app can never access information or code from another app.

Let’s go back to the calculator app. Suppose a calculator cannot input more than 8 digits. So in the memory of the phone, the operating system calculator app has just enough space for the input (Memory Allocation) as much space as the 8-digit input. But nowhere in the code is it necessary to show error message if it is more than 8 digits. If the user somehow gives a number greater than 8 digits, then that number will no longer be in the space allocated for the memory calculator app. And the last few digits of the number will overflow into the memory of another app or operating system’s own allotted space. This type of vulnerability is called buffer overflow or memory overflow.

If the hacker puts his own code instead of the number on the overflowing part, it will overwrite the overflowing operating system code. That will modify. But as easy as it is to say, it is not so easy to do. The operating system has some security of its own (Sandbox, memory randomizer) to protect against such vulnerabilities. So how did Pegasus manage?

The Pegasus is not actually one, but targets three different vulnerabilities of the iPhone. That’s why researchers named Pegasus the Trident. First it injects itself into memory using a buffer overflow national vulnerability in the Safari browser. It then uses an iOS goodwill from memory to find out where the operating system code is in memory. Finally iOS uses another vulnerability. Jailbreak takes control of the entire operating system. Control of the operating system means taking control of all the apps and information in the whole phone.

On August 15, 2016, researchers informed Apple about these vulnerabilities in iOS. After 10 days, Apple amended the code and released a new update.

It is easy to assume that it is not possible for one person to come out with such a sophisticated attack, such a great goodness. The researchers found that Pegasus was sending all the information to the server, which was owned by NSO Group, an Israeli technology firm. Mobile Cyber ​​Warfare System is available on the NSO Group website. It can be bought by any government or military organization. Their product will work on both the latest iOS and Android mobiles and is capable of doing whatever Pegasus does. In other words, it can be assumed that someone bought Pegasus from NSO group and targeted Ahmed Mansur.

The incident did not end in 2016. NSO’s mobile cyber warfare system is also active in 2021, and they are still proudly selling spyware from the new Zero Day. However, it is impossible to verify its authenticity and power without analysis. In 2019, Amnesty International Security discovered a new version of the Pegasus. You don’t even have to click the link to be active. The phone is automatically infected as soon as the message arrives. In July 2021, they published a report on Pegasus. The report provides some information about NSO clients and victims. The important thing is that Pegasus is a very complex, powerful and expensive spyware. Ordinary people will never be able to use it.

According to the NSO website, they sell Pegasus to different countries just for counter-terrorism. But that doesn’t mean there is no spyware like Pegasus. If there is a weakness in the system, then many like the NSO group can find it. As an ordinary citizen, it may be possible to avoid such targeted attacks by not clicking unfamiliar links, not calling back to unfamiliar numbers, etc.

The more advanced the technology, the more complex its code will become. And the more complex the code, the more likely it is to be inaccurate (vulnerability). According to the NSO, Pegasus is a legitimate intelligence software. It has saved many lives. Legal or not, the error of the app and the operating system is the weakness of a system. It is very important to find and fix them soon. And so companies like Apple, Google today are hiring hackers with higher salaries than developers-programmers. Rewards are given for finding such goodness through the Bug Bounty program.

Your Comments are Extremely Valuable to us. Leave a Comment.

Related Articles

Back to top button