In 2019, several journalists and activists were informed by WhatsApp that their devices were compromised by Israeli spyware Pegasus. WhatsApp had said the spyware exploited its video calling system to send malware to the mobile devices. The vulnerability has since been patched.

The spyware is again in the news after reports of global surveillance operations were published by prominent media organisations. The surveillance operation targeted journalists, activists, and other key public figures in India. Nine other governments have used the software, the reports claim.

The developer maintains that it sells Pegasus only to "vetted and legitimate government agencies".<

The Pegasus

The NSO Group, an Israeli company that specialises in cyber weapons including surveillance software, has developed this spyware. The first reported activity of the spyware came in 2016 when an Arab activist received a suspicious message.

The spyware at first thought to be able to infect iOS devices only and Apple released a patch that would shore up the company’s devices against Pegasus. But security audits later revealed that Pegasus was capable of infiltrating Android devices as well.

While developers continued to introduce more security patches, the software continued to exist and become a headache for many. In 2019, Facebook brought forth a lawsuit against NSO Group for creating the software.

The group for its part claims that it has only sold the software to governments and is not responsible for the way that the software is used.

How does Pegasus work?

The scariest thing about Pegasus is the fact that the spyware can hack into phones without any overt sign or signal. The spyware is usually downloaded into mobile devices through a malicious link. It is for this reason that security experts recommend that individuals should never click on any links.

But with this spyware, clicking the 'exploit link' may not be required and a missed video call on WhatsApp is enough to open up the phone, without a response from the target.

The software even modifies the call log so that users are not aware of a missed call.

What can Pegasus do?

Once the spyware is on a mobile device, it can comprehensively spy on the target. Even encrypted messaging apps are not secure. Pegasus sees messages, tracks call logs, user activity through apps, gathers location data of the device, can access the camera, and listen in through the microphone.

Kaspersky security researchers stated in their analysis of the spyware, “Another interesting fact about Pegasus is that it tries to hide itself really diligently. The malware self-destructs if it is not able to communicate with its command-and-control (C&C) server for more than 60 days, or if it detects that it was installed on the wrong device with the wrong SIM card (remember, this is targeted spying; NSO's clients weren't going after random victims)."

How much does it cost to use the Pegasus?

According to Gadgets Now, the spyware is sold in the form of licenses and the actual prices depend on the contract. The cost of one license, that can be used to track multiple smartphones, can be as high as Rs 70 lakh. As per past estimates of 2016, the group charges a minimum of around Rs 9 crore for spying on 10 people.

As per a 2016 price list, NSO Group charged its customers $650,000 to hack 10 devices, in addition to an installation fee of $500,000 (Rs 3.75 crore).

What is happening with Pegasus right now?

Pegasus reportedly cannot target devices with the latest software, namely devices running iOS 14 and Android 11, and the devices with the latest WhatsApp versions. However, it is very likely and possible that the new versions of the spyware are able to infect even the latest software and apps. There is no such thing as a hack-proof device.

It should be noted that Pegasus is intended for targeted spying and not for mass surveillance. While you may not be able to protect yourself from Pegasus, you can engage in safe cyber behaviour to generally protect yourself better. Not opening attachments, links, and websites from unknown senders, having strong and varied passwords, and removing permissions from your apps to track your activity can make you more secure.