Pegasus Spyware: Is your mobile ever really safe from being hacked?

spy
(Image credit: Shutterstock / rogistok)

Back in 2019, Pegasus, the spyware developed by the Israeli company NSO, hit the global headlines for being put to use by some governments for snooping on human rights activists and journalists.

Now, in a redux of the same story, a global investigation by a clutch of 17 media organisations along with Amnesty International and the Paris-based non-profit organisation Forbidden Stories has claimed that Pegasus was used to extract messages and information from the phones of journalists, politicians and activists in many countries including India.

It is further claimed that Pegasus infects Android devices and iPhones, giving operators (governments, in this case) access to messages, photos and emails. It can also record calls and surreptitiously activate microphones.

Why is a spyware like Pegasus made in the first place?

The Indian government has flatly denied the allegations, saying that no authorised interception was carried out by government agencies. The politics of the latest revelations would doubtless play out in the coming weeks and even months as there are more installments in the promised leaks. 

See more

The Pegasus gate, which name will doubtless be affixed to the scandal, once again impels us to ask a fundamental question: Is your phone ever really safe?

In 2019, Facebook-owned WhatsApp accepted that around 1,400 of its users in 20 countries had been targeted by Pegasus. Mind you, WhatsApp offers end-to-end encryption. But the fact is in the face of sophisticated spyware like Pegasus none of our personal communication ever can be truly safe.

So to answer the question of how safe our phones are, they are not all that secure. Probably many of you know or understand this from a broader perspective.

But some kind of solace can be had from the fact that a spyware like Pegaus is expensive, and the Israeli company says that it sells it to "vetted and legitimate government agencies" that who fight “serious crime and terrorism”. In any case, it is not the NSO that orders the surveillance.

It is a fact that sophisticated software like Pegasus are indeed needed to take on the malcontents like terrorists and underworld operators. The governments and their sleuths need technology to intercept messages for legitimate law and order reasons.

But the safety and sensitivity of every weapon depends on who is handling it. And unfortunately some of those who have access to such hi-tech snooping tools sometimes use them for self-serving purposes.

How is Pegasus 'infected' into a phone? A missed call may be enough

Spyware is essentially a software that secretly monitors and collects information about your online activity, data on your device, and a wide range of personal information.  

The worrying news is spyware once installed in a phone can trawl through calls, texts and other data. It can activate the phone’s camera and microphone and perform every other malicious activity.

Now, the bigger worry is that it doesn't take much to 'infect' a phone with a spyware like Pegasus. It just needs, say, a WhatsApp call. And for all you cared, you need not have even answered it.

Technically what happens is data packets are altered in the voice call sent to the target/victim. It leads to an internal buffer in the WhatsApp application to overflow, which in turn will overwrite parts of the memory leading to the bypassing of the app’s security. From then on gaining control of the phone and its data is a cinch.

Investigators allege that 'authoritarian governments' are known to create fake Whatsapp accounts to make video calls to their targets. The hackers transmitted the malicious code and got the spyware auto-installed in the phone even if the targets did not answer the call.

Experts say that the only way to completely free your mobile of spyware like Pegasus is to discard the phone. Even a 'factory reset' may not be enough to secure your phone back.

In this instance, the saving grace is that Pegasus was not used to target lay people. Apparently only a group of journalists, human rights activists and so-called dissidents of governments have been victims. 

But as a common public you cannot afford to be complacent. You need to be wary all the time and adhere to safe technological protocols (keep all your apps updated, stay away from dubious sites and links, avoid answering calls from unknown numbers.)

And have a prayer or two, if you are of the believing kind.

Follow TechRadar India on TwitterFacebook and Instagram for the latest updates.

Balakumar K
Senior Editor

Over three decades as a journalist covering current affairs, politics, sports and now technology. Former Editor of News Today, writer of humour columns across publications and a hardcore cricket and cinema enthusiast. He writes about technology trends and suggest movies and shows to watch on OTT platforms.