data breaches

Pegasus, Under the Hood: How Zero-Click Spyware Lands, Operates, and How to Fight Back

Published

18 hours ago

on

What Pegasus actually does

Pegasus is a commercial “mercenary” spyware suite by NSO Group that covertly compromises iOS and Android devices, enabling data theft (messages, photos, tokens), live microphone/camera activation, and location tracking—often without any user action. Independent labs have repeatedly linked infections to zero-click exploit chains (no tap, no click) delivered through system parsers like iMessage / ImageIO and Wallet/PassKit.

“This is not phishing-at-scale; it’s precision exploitation of core parsers that touch your device even when you never tap the message.” — Mobile security researcher summary of zero-click risk, based on Citizen Lab and Project Zero analyses.

How infections happen

  1. Targeting & delivery
    • Operator selects a high-value target (journalist, lawyer, official). Payloads arrive via iMessage (e.g., FORCEDENTRY 2021; BLASTPASS 2023) or other channels. In earlier eras, links (SMS/DM) and network-injection on hostile networks were also observed.
  2. Exploit chain (parser abuse)
    • Crafted images or containers trigger bugs in ImageIO/Wallet (PassKit) or iMessage’s pipeline, pivoting to kernel-level code execution. (Examples: CVE-2021-30860/FORCEDENTRY; CVE-2023-41064 & CVE-2023-41061/BLASTPASS.)
  3. Post-exploit implant
    • Implant establishes C2, escalates privileges, and begins exfiltration. Infrastructure rotates frequently (throwaway domains / short-lived servers) to reduce forensic footprint.
  4. Persistence (it depends)
    • Historic Pegasus (2016 “Trident”) used true persistence tricks; later waves often avoid persistence on iOS (cleared by reboot) to lower forensic risk—operators can just re-exploit. On Android, some cases may survive factory reset, hence “replace device” is sometimes advised after confirmed compromise.

Why Apple’s Lockdown Mode matters

For BLASTPASS (2023), Citizen Lab and Apple stated that Lockdown Mode blocks that chain. Lockdown trims high-risk parsers and attachment handling—hugely valuable for at-risk roles.

“Demonstration” (safe): How defenders test & investigate

A) Quick risk-reduction drill (any high-risk iPhone)

  1. Update iOS/macOS immediately (enable auto-updates + Rapid Security Responses).
  2. Enable Lockdown Mode (Settings → Privacy & Security → Lockdown Mode → Turn On).
  3. Harden iMessage workflow (minimize unknown senders; limit content previews).
  4. Daily reboot is not a fix, but can disrupt non-persistent implants and surface anomalies in logs between reinfection attempts.

B) Basic forensics with MVT (Mobile Verification Toolkit)

This is for defenders on devices you own/manage or with explicit consent.

  1. Prepare an iOS backup (unencrypted Finder/iTunes backup).
  2. Run MVT against the backup with published indicators (STIX/TI from trusted labs):
# Example (macOS/Linux workstation)
python3 -m pip install mvt-ios
mvt-ios check-backup --iocs path/to/pegasus-indicators.stix2 ./path/to/ios_backup
  1. Interpret results: Hits require expert review; absence of hits ≠ clean bill of health. Consider full-device acquisition by a professional lab if you have an Apple threat notification.

C) If you receive an Apple threat notification

  • Do not wipe; preserve evidence.
  • Move sensitive work to a known-clean device.
  • Engage experts/NGOs (e.g., digital security helplines) for MVT-based analysis.
  • Keep Lockdown Mode enabled; patch promptly.

Concrete, layered protections (orgs & individuals)

For everyone

  • Keep OS/apps current; remove unknown configuration profiles; avoid sideloading.
  • Use hardware security keys/app-based 2FA; rotate passwords on a separate, clean device after incidents. (Best practice.)

For high-risk users / orgs

How Pegasus changed over time (key milestones)

  • 2016 “Trident”: link-based chain with true persistence on iOS (Lookout/Citizen Lab).
  • 2020–2021 “KISMET/Great iPwn/FORCEDENTRY”: large move to zero-click iMessage.
  • 2022–2023: multiple iOS 15/16 zero-click chains; BLASTPASS via PassKit images; Lockdown Mode blocks that chain.

“Pegasus turned smartphones into pocket informants. The answer isn’t panic—it’s discipline: patch fast, enable Lockdown Mode for high-risk roles, and use professional forensics rather than guesswork. Treat an Apple threat alert like smoke from a fire alarm—investigate with experts before the evidence disappears.” — El Mostafa Ouchen

TL;DR: What to do right now

  • Update and enable Lockdown Mode if you’re high-risk.
  • Establish an IR path: preserve evidence, MVT scan, expert help on notification.
  • Assume reinfection attempts until patched; don’t rely on “factory reset” (Android may persist; iOS often re-exploited).

Sources for further reading

Citizen Lab on FORCEDENTRY (CVE-2021-30860) and BLASTPASS; Google Project Zero technical deep-dive; CERT-EU CVE brief; Amnesty’s MVT docs; Apple’s mercenary-spyware threat notification guidance. The Citizen LabHelp Net SecurityProject Zerocert.europa.euAmnesty InternationalGitHubmvt-docs.readthedocs.ioApple Support

Related Topics:

Trending

Exit mobile version