The Pegasus spy scandal and the “sinister spread of spyware” presents a stark warning to anyone with a cellphone.
Revelations by Amnesty International this month about the global snooping scandal in which phones belonging to 14 heads of state ‒including President Cyril Ramaphosa ‒ hundreds of politicians, government officials, journalists and activists may have been hacked by Pegasus spyware, has sparked alarm over phone security around the world.
Whether targeting iPhone or Android systems, cybercriminals’ methods are becoming increasingly sophisticated, to the point that a user remains unaware that his/her phone has even been hacked.
The Pegasus Project was a collaboration of media organisations in 10 countries, co-ordinated by Forbidden Stories, a Paris-based media non-profit, with the technical support of Amnesty International, which conducted cutting-edge forensic tests on mobile phones to identify traces of the spyware.
The Pegasus spyware is owned by the Israel-based NSO group, but there are plenty of “hacker for hire” companies and hacking tools available to break into phones.
Amnesty International’s secretary general Agnes Callamard said the evidence “should send a chill down the spine of world leaders”, adding that “the sinister spread of spyware” was infiltrating even the higher echelons of power around the world.
The NSO group has rejected the Pegasus allegations, saying it’s intended use is only for law enforcement and government intelligence agencies.
Spyware infiltrates a phone through what is known as a “zero-click” attack, which allows the cybercriminal to hack, harvest data and establish surveillance without the user knowing about it.
It exploits a software or hardware flaw, and no interaction with the user is required. A phone can be hacked through a simple WhatsApp call which does not even have to be answered by the user. Such spyware can also be sent via SMS or email to infect the phone.
This week, Associated Press reported that, according to Angus King of the US Senate Intelligence Committee, one of the simplest methods to protect your phone from hackers was to switch it off and back on again. But it is only one precaution of many to be taken to safeguard phone security, according to the US National Security Agency (NSA).
Most users rarely switch off their phones, which often store huge amount of personal data, with hackers aiming to steal information as well as track locations and secretly switch on microphones and video recording. While the NSA Mobile Device Best Practices list recommends switching your phone off and on weekly as a precaution, other measures to take include:
- Disabling BlueTooth and wi-fi when not using either.
- Never connecting to public wi-fi networks.
- Using a protective case to drown or block room audio.
- Covering the camera.
- Disabling location services when not needed.
- Never using public USB charging devices.
- Installing only a minimal number of applications.
- Being extremely cautious about entering any personal information into applications.
- Updating device software and applications as soon as possible.
However, South African cybersecurity experts have said that simply switching your phone off and on every week would not stop hackers. On Friday, Anna Collard, senior vice-president, contact strategy and evangelist at KnowBe4 Africa, said: “This is not going to help to protect against sophisticated spyware such as Pegasus or other persistent malware. Although there is some logic to it, this would be too easy and would not protect you fully.”
She said spyware such as Pegasus was expensive to obtain, meant for use by nation states and was not intended for public use.
“However, financially motivated cybercriminals use similar deployment techniques to get their mobile malware, such as banking Trojans, on to their target’s phone.”
Collard added that this is done through “zero-click” distribution, which uses weaknesses in popular apps to install malicious spyware, or alternatively through using older methods of social engineering, which encourage users to click on a link which then downloads the malware.
University of KwaZulu-Natal Professor in Criminology and Forensic Studies, Nirmala Gopal, whose research field is in cybersecurity/cybercriminality, said while there was no scientific evidence to show the extent of phone hacking, and that unsubstantiated claims could lead to “public panic and paranoia”, it does remain “a real and emerging global challenge”.
“As with any other crime, there will be a motive, thus if the regular member of the public is on a perpetrator’s list for specific information, personal banking information or any other confidential data, it stands to reason that the member will be targeted,” she said.
She added that while it is “not easy to fall prey to phone hackers, they are evolving and discovering ways to hack phones as their livelihoods. Like any other crime, if you have a market, you will have a supply”.
“Keep sensitive information tightly coded and be aware of what transactions and data your phone will provide to a potential hacker. You cannot control unscrupulous criminals, but you can control what and how you use your cellphone,” said Gopal.
Key red flags which indicate your phone has been hacked include:
- If your battery runs down too quickly.
- If you have pop-ups appearing or strange apps that you haven’t downloaded.
- Changes in airtime or data usage, particularly if your data usage has increased exponentially even if you have not overstepped your regular usage.
- You identify cell numbers that you have not called.
- You see applications which you have not accessed.
The Independent on Saturday