Cyber Security

Staying Safe from Mobile Phone Surveillance and Pegasus

Your mobile phone, which is generally known as a smartphone nowadays, is the most vulnerable and targeted device for surveillance. It voluntarily gives away a lot of information about you, that’s why it is rightly titled as a ‘spy in your pocket’. It tracks your location/movement regularly and sends this information to the intended party. The information regarding a phone’s location is available not only because of the global positioning system (GPS) data but as it is constantly looking for the strongest network signals from nearby cell towers, they establish their location with respect to the towers’ location. Communication protocols, which are standard procedures in telecommunication networks to establish communication, are constantly receiving the location of cellphones through a standard message known as ‘ping’, which is maintained in the records (generally called logs) with certain other information including timestamps. These logs are not only maintained by the carrier company providing mobile phone services or the device itself, but with third party companies too. These companies are at the back of those applications that are installed in your mobile phone. Applications which do not need your location information for their functioning may also be collecting such data and surprisingly, with permissions given by you during initial installation as no one carefully reads the ‘Terms and Conditions’ or ‘End User License Agreement’ and just clicks ‘I accept’ or ‘I agree’. If you are smart enough to deny permissions to share ‘location data’, then the application may not do so but this may not be guaranteed, as in the worst-case scenario the application is still covertly doing this. These companies are collecting data in real time and processing the records using big data analytics to extract useful information. The extracted information, or even raw data, can be sold to anyone who is interested and ready to pay the price. Such information is a serious threat to user privacy and security as it reveals the complete work and life pattern of an individual. The worst part is that this process is not regulated or scrutinised, thus giving rise to serious privacy and security concerns. All of this can be done without users’ permission or even their knowledge. Mobile phones can be accessed by hackers exploiting any available communication channel such as the internet, Near-Field Communication (NFC), Wi-Fi, and Bluetooth etc. 

Mobile phone surveillance has become an effective tool in view of our increased dependence on them, thus becoming our permanent companion. Like any other technology, mobile surveillance itself is not as bad as location data offers a great number of advantages too. The obvious one is the use of map applications that help us find our way and inform us about traffic patterns with advanced knowledge of road blockades etc. The data is used by city governments to plan transport and other services. It is also used by law enforcement agencies to prevent and control crimes through tracking criminals. Parents can use tracking applications that are useful to protect their children. Mobile phone surveillance is also an effective tool for health authorities in the prevention and control of infectious diseases and epidemic. During the COVID-19 pandemic, cellphone location data has been extensively utilised by health authorities to develop heat maps and contact tracing for the subsequent implementation of effective strategies in controlling the pandemic. This also has a great potential in the health sector to monitor patients. However, there is a requirement to have a comprehensive policy framework and all this needs to be regulated through an effective regulation mechanism where mobile phone users’ privacy concerns are addressed and people feel protected.                 
A recent detailed news report published by Forbidden Stories about the use of Pegasus as a mobile phone surveillance tool, and Amnesty International, sharing a list of more than 50,000 phone numbers of interest to NSO customers has raised serious alarms. Pegasus is probably the most advanced, powerful, and effective surveillance spyware that can be installed on a victim’s phone through ‘zero click’, which means that there is no requirement for a victim to click on any link etc., thus the spying software can be installed on the mobile phone without any action by the user or their knowledge and bypassing the device security system altogether. Pegasus, after installation, can turn your mobile phone into a secret surveillance device. It can fully control your device and secretly perform several functions as well as access your device’s complete data including files, photos, emails, call history, SMS messages, address books, calendars, contact details, browsing history etc.; copy messages you send and receive; record your calls; control your phone’s camera and microphone to film you or record your conversations and give away your location as well. Remotely controlling the camera and microphone allows the attacker to not only target the cell phone user but also people in the surroundings. The attacker can get root access, or administrator privileges, on the infected phone which allows the attacker to do much more than even the owner. Pegasus is developed and marketed by an Israeli company, NSO group, having close ties with the Israeli government. The founders of the NSO group are ex-members of Unit 8200, an Israeli Intelligence Corps unit responsible for collecting signals for intelligence. Pegasus received wide public attention following the murder of Saudi journalist Jamal Khashoggi in 2018. With time, more advanced versions of the spyware are being developed. Pegasus generally exploits zero-day vulnerabilities – flaws or bugs in an operating system that even the mobile phone manufacturer does not know about and therefore have not been fixed – which makes an attack by Pegasus very successful where defence is little to none. In 2019, WhatsApp announced that Pegasus had infected more than 14,000 phones used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior government officials in twenty different countries including Pakistan’s senior defence and intelligence officials. Targeting Pakistan’s officials in this way was a clear indication of state-on-state espionage. WhatsApp filed a lawsuit against the NSO group for unauthorised access and abuse of its services. Pakistan’s government, in response, asked their officials not to use WhatsApp to share sensitive data or classified information. The government has also shown its commitment to develop an application replacing WhatsApp to be used by government officials for classified communication.  
The NSO group claims that the Pegasus software is purchased by governments to track terrorists and other criminals and that it has no knowledge as to how these governments are using the software. It was discovered as early as 2018 by Citizen Lab, an academic research group based at University of Toronto’s Munk School, that Pegasus was being used by thirty-six operators, in forty-five different countries. Governments from India, Mexico, Saudi Arabia, Bahrain, Kazakhstan, Azerbaijan, Rwanda, Morocco, Hungary, and the United Arab Emirates are reportedly NSO clients using Pegasus. Phones in India, Bangladesh, Brazil, Hong Kong and Pakistan have been targeted since 2017 by a single ‘operator’ codenamed Ganges.     
Researchers found that the Pegasus spying software was installed through simply placing a WhatsApp call, even if it is not answered. Pegasus was also installed in iPhones, exploiting iMessage software’s vulnerabilities. Exploiting WhatsApp and iMessage vulnerabilities in order to install Pegasus by zero click has made many mobile users vulnerable to its successful installation. Amnesty International’s Security Lab at Berlin, which is carrying out a research on Pegasus, has discovered attacks on iPhones running with updated versions of iOS as recent as July 2021. Exploitation of vulnerabilities of other legitimate applications from Apple Store and Play Store by Pegasus has also been found. Additionally, Pegasus can also be installed manually or Over-the-Air (OTA). The spyware has a very sophisticated malware that is very difficult to detect with its latest versions just staying in the temporary memory instead of the hard disk, making its detection even more difficult.   
There are a few simple steps to find out if your mobile phone is infected with some spying software. Before we talk about Pegasus, which is comparatively difficult to detect, let’s see how we can prevent the installation of common spywares. One must always use a reputed antivirus software on the mobile phone. Smartphones are similar to minicomputers, with lots of different software, therefore the best way to keep a phone safe from malware is through an antivirus. In case you are doing some sensitive tasks or sharing such information, you may install and use an authorised and well-reputed Virtual Private Network (VPN). A VPN can encrypt your traffic and mask your IP. Using an easy-to-remember and difficult password on your phone along with two factor authentication are easy ways to protect your phone from unauthorised access. Don’t store personal/private or other sensitive data, such as financial information, on your mobile phone. Data can be protected through encryption. Wi-Fi, bluetooth, and other available communication channels must be disabled once not required. Be careful while browsing, avoid visiting dubious websites and clicking on suspected weblinks. Avoid cookies while browsing as cookies record your activity and save your data. You need to disable cookies for certain websites and regularly clear them. Use of social media platforms, especially on mobile phones, is risky as different people can interact with you and trap you through fake profiles with the aid of simple social engineering tricks. You also give a lot of information on social media platforms, whether intentionally or unintentionally. Be very careful while giving permissions to different applications during the initial installation process. Provide minimum permissions to applications and regularly review them. Keep minimum yet essential applications on your mobile phone as there are backdoors associated with almost every single one of them. Always download applications from trusted sources and regularly update them along with the operating system on your mobile device, as updates come with security fixes for all newly discovered backdoors. If some spyware is monitoring your mobile phone then there are a few simple indicators that can make you aware of this. Increased battery drainage and heating is the most common and obvious indication. You may hear beeping and clicking during conversations. Your phone may start behaving abnormally; some unwanted applications may be there, and some pop-ups may start appearing. There could be an increase in data usage that may be monitored. Scan your browser history, if there are activities recorded that you have not performed then there must be a spyware doing this. A quality antivirus generally doesn’t allow a spyware to install itself on your phone and can detect this, but in case you are unable to remove it then factory resetting is the last option for removing all applications, files, and data from your mobile device. A mobile phone may be tracked even if it is turned off; considering that you do not want your phone to be tracked, you need to remove the battery or place the phone in a Faraday Bag so that it completely blocks all wireless signals and keeps the phone shielded.

Pegasus has brought new dimensions to mobile phone surveillance. It may be very difficult to detect as unlike other common spywares there are no obvious signatures. It may not cause the mobile phone to hang or slowdown but there could be higher data usage and battery consumption. Open-source utility called Mobile Verification Toolkit (MVT), from Amnesty International, can be used to detect if your phone is infected with Pegasus. Cybersecurity experts, through forensic analysis, can find out if the data was exchanged with suspicious websites linked to Pegasus.
As per the data available at Pakistan Telecommunication Authority’s (PTA) website, there are more than 184 million cellular subscribers in Pakistan with mobile phone penetration above 84%; out of these 100 million are 3G/4G subscribers. So many mobile phone users in a country with a literacy rate of just 59% makes a large portion of our population vulnerable to threats associated with mobile phones. However, this also provides a great opportunity for our law enforcement agencies using lawful mobile phone surveillance to track criminals and detect/stop crimes. We have taken several steps to make our officials less vulnerable to such attacks. These include stopping the use of WhatsApp for official communication, developing a communication app to replace WhatsApp for official communication and banning smartphones in offices dealing with sensitive or classified tasks as a 100 percent effective security solution does not exist except not to have a mobile phone. There are a large number of other security risks associated with the use of mobile phone and they are compounding as we are adding new features to them. However, in this article, we are mostly restricted to surveillance. It is more important that we make our people aware as they must fully understand the associated cybersecurity risks. We must understand that any smartphone – may it be Android, Apple or Blackberry – is equally vulnerable to cyberattacks. We must be on a lookout for simple indicators in our smartphone, as discussed above, for the presence of any surveillance spyware. It is through awareness, adherence to policies and best practice guidelines, careful attitude, sensible behaviour and above all common sense that will save us in the end.

E-mail: [email protected]

Read 65 times