With kidnapping of school children for ransom and deliberate killing by bandits now reaching a crisis point, especially in the northern part of the country, Information and Technology (IT) experts have said any legal IT solution that could end the crimes or reduce them drastically should be used by the government.
A commercial malware called Pegasus which is now increasingly being used by governments across the world to spy on targeted persons and monitor their movement have been suggested.
Pegasus, which is sold for millions of dollars by an Israeli company called NSO Group, is the most sophisticated piece of malware that has the potential to record calls, copy messages, and secretly film the owner (and those nearby) on any device that has been compromised. Hungary, Mexico, Saudi Arabia, India, and the United Arab Emirates (UAE) are already using the malware in their fight against insecurity.
NSO Group admits that its real client list has over 40 countries on it, but it says it vets the human rights records of clients. It also points out that Pegasus “cannot be used to conduct cyber-surveillance within the United States, and no foreign customer has ever been granted technology that would enable them to access phones with US numbers.”
Writing in Android Authority a software engineer Gari Sims said unlike the malware used by cybercriminals to make money by stealing from and cheating their victims, Pegasus is designed solely for spying. “Once it has secretly infected a smartphone (Android or iOS), it can turn it into a fully-fledged surveillance device. SMS messages, emails, WhatsApp messages, iMessages, and more, are all open for reading and copying. It can record incoming and outgoing calls, as well as steal all the photos on the device. Plus it can activate the microphone and/or the camera and record what is being said. When you combine that with the potential to access past and present location data, it is clear that those listening at the other end know almost everything there is to know about anyone that is targeted’’, Sims, who is also a journalist said.
Even if a criminal knows that a government agency is targeting them with software like Pegasus, there is little they can do to stop it, Sims said.
And not just anyone can get hold of a copy of Pegasus; it isn’t something sold on eBay or even on the dark web. NSO Group only sells it to governments and it costs millions of dollars to buy. This means it isn’t in the hands of rogue bands of cybercriminals or terrorists. In fact, NSO Group markets Pegasus as a “technology that helps government agencies prevent and investigate terrorism and crime to save thousands of lives around the globe.”
NSO Group has a specialized team of researchers who probe and analyze every minute detail of operating systems like Android and iOS, to find any weaknesses. These weaknesses are then turned into ways to burrow into a device, bypassing all the normal security.
Governments that deploy Pegasus are able to achieve unlimited access to target’s mobile devices: Remotely and covertly collect information about your target’s relationships, location, phone calls, plans, and activities whenever and wherever they are.
They also intercept calls: Transparently monitor voice and VoIP calls in real-time.
Bridge intelligence gaps: Collect unique and new types of information (e.g., contacts, files, environmental wiretap, passwords, etc.) to deliver the most accurate and complete intelligence.
Handle encrypted content and devices: Overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world.
Application monitoring: Monitor a multitude of applications including Skype, WhatsApp, Viber, Facebook and Blackberry Messenger (BBM).
Pinpoint targets: Track targets and get accurate positioning information using GPS.
Service provider independence: No cooperation with local Mobile Network Operators (MNO) is needed.
Discover virtual identities: Constantly monitor the device without worrying abou tfrequent switching of virtual identities and replacement of SIM cards.
Avoid unnecessary risks: Eliminate the need for physical proximity to the target or device at any phase.
To sum up: It can be used to track Android, iOS, BlackBerry OS and Symbian devices, and extract contacts, messages, emails, photos, files, locations, passwords, processes list. It can also be used to access password-protected devices without leaving any trace and even self-destruct in case it is exposed. Pegasus can also retrieve any file from a device for deeper analysis.
Though most media reports on Pegasus relate to the compromise of Apple devices, but experts said the spyware infects Android devices too. But aren’t Apple devices more secure? Apple devices are generally considered more secure than their Android equivalents, but neither type of device is 100 per cent secure, according to Paul Haskell-Dowland, an Associate Dean (Computing and Security), Edith Cowan University and Roberto Musotto, Research fellow, Edith Cowan University.
They said Apple applies a high level of control to the code of its operating system, as well as apps offered through its app store. This creates a closed-system often referred to as “security by obscurity”. Apple also exercises complete control over when updates are rolled out, which are then quickly adopted by users, they said.
Apple devices are frequently updated to the latest iOS version via automatic patch installation. This helps improve security and also increases the value of finding a workable compromise to the latest iOS version, as the new one will be used on a large proportion of devices globally, they wrote.
On the other hand, they said, Android devices are based on open-source concepts, so hardware manufacturers can adapt the operating system to add additional features or optimise performance. “We typically see a large number of Android devices running a variety of versions – inevitably resulting in some unpatched and insecure devices (which is advantageous for cybercriminals).
Ultimately, both platforms are vulnerable to compromise. The key factors are convenience and motivation. While developing an iOS malware tool requires greater investment in time, effort and money, having many devices running an identical environment means there is a greater chance of success at a significant scale’’.
How can I tell if I’m being monitored? While the leak of more than 50,000 allegedly monitored phone numbers seems like a lot, it’s unlikely the Pegasus spyware has been used to monitor anyone who isn’t publicly prominent or politically active.
It is in the very nature of spyware to remain covert and undetected on a device. That said, there are mechanisms in place to show whether your device has been compromised.
They said while the analysis won’t confirm or disprove whether a device is compromised, it detects “indicators of compromise” which can provide evidence of infection.
In particular, the tool can detect the presence of specific software (processes) running on the device, as well as a range of domains used as part of the global infrastructure supporting a spyware network.
How to minimise exposure
What can I do to be better protected? Although most people are unlikely to be targeted by this type of attack, there are still simple steps you can take to minimise your potential exposure – not only to Pegasus but to other malicious attacks too.
Only open links from known and trusted contacts and sources when using your device. Pegasus is deployed to Apple devices through an iMessage link. And this is is the same technique used by many cybercriminals for both malware distribution and less technical scams. The same advice applies to links sent via email or other messaging applications.
Make sure your device is updated with any relevant patches and upgrades. While having a standardised version of an operating system creates a stable base for attackers to target, it’s still your best defence.
If you use Android, don’t rely on notifications for new versions of the operating system. Check for the latest version yourself, as your device’s manufacturer may not be providing updates.
Although it may sound obvious, you should limit physical access to your phone. Do this by enabling pin, finger or face-locking on the device. The eSafety Commissioner’s website has a range of videos explaining how to configure your device securely.
Avoid public and free WiFi services (including hotels), especially when accessing sensitive information. The use of a VPN is a good solution when you need to use such networks.
Encrypt your device data and enable remote-wipe features where available. If your device is lost or stolen, you will have some reassurance your data can remain safe.
Sources: www.androidauthority.com, www.theconversation.com, and www.thehindubusinessline.com.