How Pegasus spyware ‘found on a device connected to Number 10’ works

Downing Street computer systems are suspected to have been infected by powerful hacking spyware linked to spies in the United Arab Emirates.

It led to Boris Johnson’s mobile phone being analysed by cybercrime investigators and, although the sweep of devices failed to identify the source, has thrust the software used into the spotlight.

So just what is Pegasus, how does it work and who can be targeted?

One expert warned that it effectively means ‘every phone in every pocket is a spy’, with the terrifying spyware able to film users through their device’s camera, record conversations, listen to calls and even send messages.

Pegasus is sold by the Israeli-based NSO Group so governments can carry out surveillance by infecting phones with the military-grade software.

But ordinary members of the public may also be at risk, sometimes without so much as a click of a button.

While its not entirely clear how Pegasus conducts its ‘zero-click’ attacks, experts believe functions including Photos, WhatsApp, iMessage and Apple Music are vulnerable and can give the program access to victims’ location, videos and photos, messages, contact list and more

How is Pegasus installed on smartphones?

Since 2019, hackers have been able to install the software on smartphones with a missed call on WhatsApp, and can even delete the record of the missed call, making it impossible for the phone’s owner to know they have been targeted. 

‘Pegasus can be installed on phones via a simple text message or through exploiting vulnerabilities on devices that can even deploy without requiring the user to click anything,’ cyber security expert Jake Moore from ESET told MailOnline. 

‘Once the software is placed on a device it can copy messages, view photos, record phone calls, and even secretly view the user via the phone’s camera and both Android and Apple phones are vulnerable. 

‘This makes it extremely dangerous and powerful in surveillance attacks, leaving targeted victims in the dark.’

What can the spyware gain access to?

Pegasus can stealthily enter a smartphone and gain access to everything on it, including its camera and microphone. 

It is designed to infiltrate devices running Android, Blackberry and iOS operating systems and turn them into surveillance devices. 

NSO Group has always defended its use, saying it only sells Pegasus to governments for legitimate law enforcement and intelligence purposes, such as against criminals or terrorists.

But it has faced intense scrutiny over the claim. 

Once installed, the spyware can theoretically harvest any data from the device and transmit it back to the attacker. 

As well as stealing photos and videos, it can record a person’s location, web searches, passwords and social media posts.

The software can even activate cameras and microphones for real-time surveillance without the permission or knowledge of the user.

Who is being targeted?

It is currently unclear who or what types of people are being targeted and why, although it tends to be high-profile figures.

‘Governments often use spyware to carry out international espionage against other governments but like with any weapon art, it can also be lethal in the wrong hands,’ Moore said.

‘High profile people must be aware of the ease at which this can occur and must take precautions such as using a second device for official business and hold private meetings away from any device where possible. 

‘Other people could also potentially be targeted but it is less likely.’

He added: ‘It is therefore vital everyone always continually updates their devices at the earliest opportunity to help best protect their personal information.’

What happened in No 10?

Canadian investigative group Citizen Lab said suspected Pegasus spyware was discovered on Downing Street and Foreign Office computer systems in 2020 and 2021.

The claims are linked to an investigation by the New Yorker magazine, which looked at the targeting of individuals campaigning for Catalan independence from Spain.

Speaking to BBC Radio 4’s Today programme, the New Yorker’s investigative reporter Ronan Farrow said the belief is that data was exfiltrated from the computer network at No 10.

He added: ‘They don’t know whom the device in question belonged to but they do know that someone connected to that network through their phone was hacked.

‘UK officials that I spoke to did confirm that the network was compromised — [but] they were not able to find a specifically-hacked phone.

‘In the case of the Foreign Office hacks they did find evidence of that hacking.’

Discussing the Pegasus software, Farrow said: ‘It cracks open phones, it gives access to all of the most intimate content on that phone, your text messages, your photos, anything that can be weaponised against you, or be of interest to someone looking to surveil you.

Powerful spyware known as Pegasus was used to infect a device connected to the network at 10 Downing Street, it has been claimed

‘Or, in the most sophisticated cases of this technology, it turns on your microphone, it turns on your camera — it provides real time surveillance.

‘So essentially this means every phone in every pocket is a spy, and as we’re seeing with those uses, that can be something that is used by authoritarians seeking to crack down on dissent.’

Who else has fallen victim to Pegasus hacks? 

It is not just the British government that has been targeted, however.

In September last year, traces of Pegasus spyware were found on the mobile phones of at least five current French cabinet ministers, according to the investigative website Mediapart.

The revelation came two months after it was claimed that rights activists, journalists and lawyers around the world had been targeted with the phone malware sold to authoritarian governments by NSO Group.

They were on a list of some 50,000 phone numbers of people, although it was not clear where the this came from or how many phones had actually been hacked.

Politicians and heads of state, business executives, activists, and several Arab royal family members were all on the list, along with more than 180 journalists from organisations including CNN, the New York Times and Al Jazeera. 

Boris Johnson’s mobile phone was analysed by cybercrime investigators following the breach

NSO denied any wrongdoing at the time.

Despite the company insisting that it only sells the software to selected governments, there are fears it could be manipulated by less sophisticated hackers and used to target regular people. 

It has already been found deployed to hack journalists, lawyers and human rights defenders, among others.

Jakub Vavra, a mobile threat analyst at software security company Avast, said: ‘Since 2016, we have tracked and blocked several attempts by Pegasus spyware to breach Android phones, most of them in 2019. 

‘Evidently it is used as a highly targeted tool, as unlike spyware which often is spread widely to harvest masses of user data, Pegasus is used only on a few individuals, apparently, for surveillance purposes. 

‘The minimal spread of the spyware doesn’t make it less dangerous, for each individual being under surveillance the scope of privacy damage is certainly very high.’

What can you do to protect your smartphone?

Beware of spam text messages and don’t click any links from an unknown source.

Cyber security expert Jake Moore said it was ‘vital’ that everyone also ‘continually updates their devices at the earliest opportunity, to help best protect their personal information.’

It is also good practice to enlist two-factor authentication on your devices, because when an identity-specific action is required on top of entering your password and username, it becomes significantly harder for fraudsters to access your information. 

Two-factor authentication provides a way of ‘double checking’ that you really are the person you are claiming to be when you’re using online services, such as banking, email or social media.

The option to switch on two-factor authentication is usually found in the settings of your device, where it may also be called 2-step verification (2SV). 

Last September Apple released an emergency software patch to fix a security vulnerability that researchers said could allow Pegasus hackers to directly infect iPhones and other Apple devices without any user action.

The flaw was identified by spyware researchers at Citizen Lab and reportedly affected all of Apple’s operating systems.

It was the first time a so-called ‘zero-click’ exploit had been caught and analysed, said the researchers, who found the malicious code on September 7, 2021 and immediately alerted Apple.