The NSO Group’s Pegasus spyware adds new layers and unique capabilities to a highly sophisticated and booming surveillance software industry to overcome modern challenges posed by encryption, masking and frequent SIM card replacement.
In this regard, the Pegasus marketing brochure, made public as part of WhatsApp’s filings in a US court case against the Israeli company, provides an insight into the spyware’s tech stack, architecture, and features.
Though this marketing brochure is likely outdated, and thus does not represent the leaps that have likely been taken over the last few years, it still provides an important glimpse into the different layers of data collection, transmission, presentation and analysis built into the spyware.
Dissecting Pegasus: Understanding different layers of the spyware
Common public awareness about Pegasus is limited to it being a zero-click data collection tool that harvests user data from the device like SMS, contacts, calendar, location, WhatsApp chats, browsing history, photos and videos while also triggering actions in the background like recording calls, activating camera and microphone.
However, different layers of Pegasus add unique abilities to the spyware, making it a comprehensive surveillance tool that requires minimal intervention and technical expertise on the part of the actual customer that operates the software.
The ‘installation layer’ handles remote installation of invisible spyware on the target devices (referred to as agents in the marketing brochure), its maintenance and uninstallation using a self-destruct mechanism in scenarios where operators may be exposed.
Pegasus: Agent installation flow
Pegasus: Agent installation flow
In this layer, as the above diagram shows, NSO is simplifying a complex installation process by abstracting several technical details from the operators, requiring them only to insert a target’s phone number. As the NSO claims in its brochure that “the rest is done automatically by the system, resulting in most cases with an agent installed on the target device”.
After a phone number is inserted, in the background, the Pegasus system checks whether the number is active or not using some HLR lookup service(s) and analyses the phone type and OS version (operating system like Android or iOS) to check the device compatibility.
HLR (Home Location Register) lookup services act as a building block for advanced spyware tools like Pegasus. HLR refers to a database that contains information regarding authorised subscribers of a mobile network, including their phone numbers, current location and International Mobile Subscriber Identity (IMSI), which is a unique identifier of each SIM. HLR lookup services like this help query this database to check if a phone number is active or not.
Also read: Amazon Shuts Down Some Infra and Accounts Linked to NSO Group
The Pegasus system also checks for available installation methods (over-the-air using a push notification covertly sent to the mobile vs SMS/Email push) before delivering the exploit to the target device. NSO handles spyware’s delivery infrastructure and mechanism, providing customers with limited knowledge and control over the process.
NSO, in its statement, claims that “it does not have access to the data of its customers’ targets”, and all of the data resides on servers deployed on the customer side.
Anonymizers and Data Analysis
What makes it hard to identify a Pegasus operator is the fact that the system deploys a network of anonymizers at the data transmission layer. Anonymizer servers are spread across the globe, allowing agent connections to be redirected through different paths before reaching the Pegasus customers.
In addition, all the connections are encrypted, securing the identity of the customers and government officials using the spyware.
Once the data reaches customer servers, it is arranged, filtered, reviewed and analysed by the operators using the dashboard. The dashboard shows the entire collected data from a specific target or only a specific type of information from all targets. The charts on the dashboard show key activities and patterns of a target, while maps show the target’s real-time activity and historical location.
Pegasus: Call Log and Call Interception
Pegasus: Location Tracking
On the dashboard, operators can also create custom rules that trigger system alerts automatically based on device activity, like alerts when a defined word is used in a conversation or when the target calls a specific number. The operators can also export all the extracted data, including names and phones of contacts and chat participants, conversation content, audio recordings, files and folders. They also use the latitude and longitude data of the device to create geofences that trigger a notification in real-time based on an individual’s movement.
This high level of customisability and control without requiring any particular technical skills makes Pegasus a benchmark software for tech enthusiasts in the surveillance industry. However, the way authoritarian regimes are using Pegasus across the world to target journalists, activists and women raises an important conundrum – has NSO created a beast too powerful enough to control in the name of security and defence?
Devesh Kumar is an independent data analyst and senior data visualizer with The Wire.
The Pegasus Project is a collaborative investigation that involves more than 80 journalists from 17 news organisations in 10 countries coordinated by Forbidden Stories with the technical support of Amnesty International’s Security Lab. Read all our coverage here.
Note: The article has been edited to reflect that the featured illustrations, previously credited to Devesh Kumar, are by illustrator Diana Valeanu, from absurd.design.
