Inside 'Pegasus,' the impossible-to-detect software that hacks your iPhone
Built by a shadowy company called NSO Group, the software called "Pegasus" - discovered after being used against a human rights activist in the United Arab Emirates - forced Apple to issue a critical software update on Thursday to protect its users worldwide.
Updating iOS to the current 9.3.5 version is crucial for all users, since Pegasus is designed to infect a person's phone and it is virtually impossible to detect.
"The software leaves absolutely no indicators of compromise to the user," Mike Murray, vice president of security research and response at Lookout, a mobile security firm that researched the threat with CitizenLab, told Business Insider.
One of Murray's fellow researchers told him of how advanced Pegasus is: "Once you get this software on your phone, it's not your phone anymore."
'This is a real exploit happening in the wild against real people'
The revelation of Pegasus started with a text message on Aug. 10.
A text sent to the iPhone 6 of Ahmed Mansoor, a prominent human rights activist in the United Arab Emirates, promised "new secrets about torture of Emiratis in state prisons" with a link. Though the phone number it came from was faked, and the text's claims were interesting, he didn't click.
"I could tell that these were unusual SMS's," Mansoor told Motherboard. "And I wouldn't go and [click on] that."
Instead, he sent it to CitizenLab researchers Bill Marczak and John Scott-Railton, who used their own phone to click the link themselves - and then track what would happen next.
"What we were looking at were three chained together iOS zero days," Murray told BI.
After clicking the link, the Safari browser quickly opened and then closed. "That's the only indication the user will ever have," Murray said.
But in the background, Pegasus was calling back to servers controlled by its creators, then downloading its malicious software, jailbreaking the device, and quickly infecting every aspect of the phone from messaging software to its repository of WiFi passwords with three "zero day" vulnerabilities, or unfixed bugs that can be exploited by hackers.
After CitizenLab brought in Lookout to help in discovering what Pegasus could do, the researchers immediately called Apple to report it.
"This is a real exploit happening in the wild against real people," said Murray, noting that neither research group submitted it through Apple's official bug bounty program, which could have earned them upwards of $200,000.
"This wasn't about money. This is about real people in the world being attacked."
'I think it is an arms race'
In their research, Citizen Lab and Lookout realized that Pegasus was designed to do two things: completely take over all aspects of the iPhone, and operate like a "ghost" that a user would never be able to see.
"The joke with spyware is 'suddenly my battery goes from 6 hours to 30 minutes,'" Murray said. "Pegasus doesn't do that."
What it does do is gather an incredible amount of data on an affected user. Every single text message, calendar entry, email sent through Gmail, or WhatsApp message is vacuumed up and sent back to whoever is behind the spying. It constantly updates and sends the user's location from the phone's GPS. And it even fully downloads the user's various passwords and steals the stored list of WiFi networks and passwords the phone connects to.
Not surprisingly, it can intercept audio from calls, to include those made through WhatsApp and Skype, or the microphone can be remotely turned on to listen in. "Your smartphone today is the new walkie-talkie," NSO Group cofounder Omri Lavie told the Financial Times in 2013.
"We're a complete ghost," he told Defense News of his sophisticated spy software. "We're totally transparent to the target, and we leave no traces."
Since its discovery, Murray said, the NSO command-and-control servers the researchers found Pegasus communicating with have all been taken down. But it has built-in protections for updating these servers, so it's likely this discovery may be nothing more than a bump in the road for the company behind it.
"The level of stealth it has, [and] the level of protections it has against its own infrastructure being destroyed or itself being discovered is quite incredible," Murray said. "I think it speaks to the sophistication of the threat ... this was designed to maintain persistence and maintain the compromise a lot longer than what you typically see in a lot of malware.
When asked whether a hardware solution, such as Edward Snowden's proposed case for the iPhone, may be what users need to protect themselves, Murray said it would make it "harder" for attackers, but dismissed claims it could be a silver bullet.
"I think it's an arms race," he said. "As soon as we try and do it with hardware, the sophisticated attacker is simply going to work harder to blend into the background."
"People are patching up certain holes and they're just finding new holes," Blake Kotiza, vice president of sales for Privoro, a manufacturer of anti-spying hardware for the iPhone. "It's a continuous game of cat and mouse."
Apple released an update to its mobile operating system iOS on Thursday, which fixes the three zero-day exploits that were uncovered. Users who update to iOS 9.3.5 are, for now, protected against Pegasus. An Apple spokesperson also confirmed to Business Insider that the latest update to the iOS 10 beta software is protected as well.
Murray's company, Lookout, also has an app that scans phones for security threats, which can now tell users whether their device has been compromised.
"Now that we know what to look for, it's much more effective," Murray said.
But the company behind Pegasus is still in business, and it's likely working hard to find another way to break into the iPhone, which is believed to have been vulnerable going all the way back to iOS 7. It had previously demonstrated hacks on Blackberry and Android devices.
"It's the best out there we've seen," Murray said. "Who knows what other shady groups are still out there lurking, waiting to be discovered."