Spyware is an invisible enemy - malicious software that can create a 24-hour surveillance device by infecting your mobile phone, copying your private photos, and reading your messages. It can even pinpoint your location.
Worried? You should be. Sophisticated spyware can worm its way into your iPhone or Android phone and quietly watch you with your own camera, flip through your photos, activate your microphone, and read your WhatsApp conversations.
An investigation by Amnesty International, The Washington Post, and 15 other media partners in 2021 revealed that some governments may be using military-grade software called ‘Pegasus’ to spy on individuals through their phones - not just targeting terrorists and criminals, but people who have not committed any crimes.
“Apple prides itself on its security and privacy features, but NSO Group has ripped these apart," deputy director of Amnesty tech Danna Ingleton said. "Our forensic analysis has uncovered irrefutable evidence that through iMessage zero-click attacks, NSO’s spyware has successfully infected iPhone 11 and iPhone 12 models. Thousands of iPhones have potentially been compromised."
Here’s how Pegasus spyware works:
Pegasus spyware is developed, marketed, and licensed to the governments by a private security company, Israeli’s NSO Group, which denies any wrongdoing: “NSO is a technology company. We do not operate the system.” NSO said it works only with government agencies and will cut off access to Pegasus if it finds evidence of abuse.
Here are five takeaways from Amnesty’s investigation and some SPYSCAPE security steps to help you protect your mobile phone and data from intruders.
1. Check if your phone is infected
Amnesty’s joint investigation revealed that up to 50,000 phones and devices may have been infected by Pegasus spyware - although that number could be much smaller. Many of those reportedly under surveillance are politicians, including French President Emmanuel Macron, journalists, lawyers, and human rights defenders.
Solution: If you suspect your phone is compromised, Amnesty has developed a tool to check for Pegasus spyware called the Mobile Verification Toolkit or MVT, with a source code available on GitHub. If you aren’t a techie, it may be easier to download an app such as iVerify to test for spyware. Don’t download software without reading the fine print first, however, and use a trusted source.
2. Keep software updated
Pegasus spyware can infect smartphones without any interaction. You no longer need to click on a malicious link in a message or email to activate spyware, a technique known as spear-phishing. Instead, sophisticated spyware infects your phone through ‘zero-click’ attacks, which don’t require your participation. The attacks exploit ‘zero-day’ vulnerabilities, which are flaws in an operating system that the phone’s manufacturer has not yet fixed.
Solution: Keep your devices patched with the latest updates from device-makers; install reliable anti-virus and anti-malware detection software, and; use a reliable internet security provider when choosing a spyware removal tool (some fraudulent utilities can be spyware themselves). Also, don’t click on unknown or phishing links in messages. That might not stop Pegasus, but it will prevent you from installing less sophisticated spyware.
3. Secure your digital communications methods
Pegasus spyware can invade iMessage, which is installed by default, and other widely used software like WhatsApp. Will Cathcart, chief executive of WhatsApp, told The Guardian that he saw parallels between the Pegasus revelations and a 2019 attack in which 1,400 WhatsApp users - including national security officials - were targeted by governments with NSO Group spyware. NSO denies any wrongdoing. A lawsuit is pending.
Solution: Secure your digital communication methods by following SPYSCAPE’s recommendations. If you are looking for an alternative to WhatsApp or iMessage, check out Signal, which is considered secure, reliable, and ethical - Edward Snowden has endorsed it - or Wire, a user-friendly and regularly audited app with strong encryption.
4. Consider virtual private networks and device compartmentalization
Pegasus spyware is highly sophisticated, costs millions of dollars to develop, may have a short shelf life, and is used to target specific individuals. So should you dismiss Pegasus because most people won’t need to worry about it?
Indian author Arundhati Roy warned against complacency: “To cynically dismiss it as a new technological iteration of an age-old game in which rulers have always spied on the ruled would be a serious mistake. This is no ordinary spying. Our mobile phones are our most intimate selves. They have become an extension of our brains and bodies.”
Matthew Green, a Johns Hopkins cryptographer, has also cautioned tech users from descending into a state of ‘security nihilism’ - giving in to the thinking that nothing can be done.
Solution: Green suggests keeping pressure on Google and Apple to come up with better security solutions. Until that happens, Green suggests practicing device compartmentalization such as using separate devices for separate apps, and having a virtual private network, or VPN, on mobile devices. Even if you’re not at risk from Pegasus, you may be vulnerable to other spyware and surveillance.
5. Your cloud account is as vulnerable as your mobiles and other devices
Pegasus isn’t the first and certainly won’t be the last spyware to threaten your data security but Amnesty’s study has renewed attention on the increasing number of unregulated, private companies selling spyware. Candiru, another Israeli-based ‘mercenary’ tech company, also uses spyware to infect computers, phones, and cloud accounts, according to a 2021 project involving the University of Toronto’s Citizen Lab and Microsoft. They found Candiru targeted activists, politicians, and others through fake websites masquerading as Black Lives Matter pages, or media and health companies.
Solution: Use precautions in all of your devices including cloud accounts. Citizen Lab and Microsoft concluded that in the absence of international safeguards and strong government export controls, spyware vendors will sell to clients who will routinely abuse their services: “Ultimately, tackling the malpractices of the spyware industry will require a robust, comprehensive approach that goes beyond efforts focused on a single high-profile company or country.”