Pegasus, Predator, Hermit Spyware – NSO and its clones

Recent revelations about commercial mobile spyware give us insight into the sophisticated techniques being used to spy on smartphones.

Late 2021 and the first half of 2022 have seen multiple stories around the activities of the surveillance for hire industry.  The flurry of news started in December when researchers at the University of Toronto’s Citizens lab released information about its investigation of Predator, spyware produced by North Macedonia-based Cytrox.  Citizen’s lab identified likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.  This announcement coincided with Meta’s disclosure that it had banned seven surveillance for hire organizations from its platforms among them the aforementioned Cytrox together with four Israeli, one Chinese, and one Indian hacking outfit. More recently we learned about Hermit spyware developed by Italian outfit RCS labs.

It turns out that, as the spotlight has been shone on this murky world, we’re discovering that NSO, the now notorious developer of Pegasus, the original iPhone hacking spyware, has many clones and competitors and is ‘only one piece of a much broader global cyber mercenary industry.’ A recent European Parliament report listed 35 commercial spyware products.  But Pegasus itself has also been in the news. In May we learned that the Spanish prime minister’s phone had been infected with Pegasus.  This was a further twist on a tangled web of spying allegations which culminated in the resignation of the head of CNI, Spain’s national security agency, over its use of Pegasus to spy on members of the Catalan independence movement.  In June 2022 NSO told MEPs that at least five EU countries have used Pegasus while European Parliament researchers identified that Pegasus had been used against citizens in at least ten EU countries.

Surveillance technology has been around for a long time.  The security services in Elizabethan England were adept at opening sealed correspondence without detection.  More recently Edward Snowden revealed how the NSA was collecting vast amounts of sensitive data by tapping into the world’s communications networks.  The rise in the use of end-to-end encrypted messaging apps such as Whatsapp, Signal, and Telegram meant that network surveillance was ineffective. Spooks wanted access to phones to read the unencrypted version of these messages and vendors such as NSO emerged to address this need.

For those of us working in mobile endpoint security, the most interesting aspect of these reports is the hard evidence they provide of numerous vulnerabilities in mobile phone software which these actors have discovered and exploited.  Unlike off-the-shelf malware which works by tricking end-users into giving dangerous permissions (for example allowing the app to overlay screens or intercept messages), advanced malware is impossible for end-users to detect and easily evades anti-virus software. It’s exactly this type of threat that mobile endpoint security solutions are designed to address and the more we know about their operations the better we can do our job.

Broadly speaking software vulnerabilities fall into two categories, zero-day and n-day. Zero-day vulnerabilities are unknown to the software vendor.  They are the most dangerous because even well-patched devices are unprotected.  N-day vulnerabilities are those which are known to vendors. Generally, these will have been addressed in the latest software release, though sometimes the security implications of a bug may be missed leading to a delay in patching. N-day vulnerabilities matter because we know that only a minority of phones are fully up to date at any point in time.  Cytrox, the maker of Predator, spyware for Android, used a combination of zero-day and n-day vulnerabilities in both Android and Chrome to deploy its malicious software.

In June Google reported the discovery of Hermit, spyware for Android and iOS developed by Italian company RCS labs. Google identified victims in Italy and Kazakhstan. Researchers believe that the spyware was used to target anti-government protesters in the latter country. The iOS version exploited four n-day vulnerabilities and two zero-day vulnerabilities.  All vulnerabilities have now been patched by Apple.  Google was unable to provide a comprehensive analysis of the Android version of the spyware which masquerades as a legitimate Samsung app.  The initial download does not contain exploits but instead uses the ‘lower tech’ method of tricking users into granting permissions which it then abuses.  The app has the ability to fetch and run remote modules which, researchers speculate, may contain exploits.

The work of digital privacy organizations, NGO’s, security researchers and public oversight bodies give us important glimpses into the capabilities of mobile spyware but we must acknowledge how little remains hidden.  Most of what the public relates to the use of commercial spyware by governments is to target dissidents.  We know much less about spyware developed in-house by security agencies and almost nothing about its use by cybercriminals and hostile nation-states. However, what we have learned is worrying.  We now know that multiple commercial spyware vendors have developed tools similar to Pegasus.  From Google’s Threat Advisory Group we learned that they are tracking over 30 vendors with ‘varying degrees of sophistication and public exposure’ selling commercial surveillance products. It would be foolhardy to assume that such tools are not also in the hands of nation-states and cybercriminals.  Moreover, recent disclosures have confirmed that the surveillance-for-hire industry has moved beyond targeting politicians and dissidents and is being used for industrial espionage. Black Cube, one of the entities blocked by Meta has customers across the medical, mining, minerals, and energy industries and targets organizations in the telecoms, high-tech, legal, financial, and real estate industries.

These revelations have confirmed the existence of multiple tools which have successfully exploited vulnerabilities in both iOS and Android to enable remote access to the full range of smartphone capabilities including audio, messaging applications, and cameras. Russia’s invasion of Ukraine has returned the world to a geopolitics reminiscent of the cold war.  Cyber weapons are increasingly being deployed against civilian targets to disrupt the smooth functioning of the economy and society as well as for financial gain.  Your attackers have both the motivation and the capability to target your employee’s mobile devices. The threat posed to organizations by sophisticated spyware has never been more acute. Let vigilance be your watchword.