Pegasus, Predator, Hermit Spyware – NSO and its clones

Recent revelations point to the proliferation of sophisticated cyber-surveillance tools targeting iOS and Android devices.

The recent revelation that the Indian government was engaged with up to a dozen surveillance-for-hire companies brings into sharp focus the way in which spyware has proliferated in recent years. Long gone are the days when the NSO Group’s notorious Pegasus software was the only kid on the block. The growth in the spyware industry was underscored by Meta’s second “Threat report on the Surveillance-for-Hire industry” released in December, which spoke of “a sprawling industry that provides intrusive software tools and surveillance services… this industry “democratizes” these threats, making them available to government and non-government groups that otherwise wouldn’t have these capabilities to cause harm. They, in effect, exponentially increase the supply of threat actors in the world.” A database of spyware-related incidents catalogued 19 disclosed cases in 2022 alone involving not just NSO but fellow Israeli organizations Cytrox, Quadream and Paragon and the Italian company RCS Labs. The difficulty of tackling the use of these sophisticated and invasive cyber-surveillance tools is highlighted by the fact that they continue to spread, notwithstanding significant actions by the US administration, including the blacklisting of NSO in November 2021.

A spate of spyware incidents

Late 2021 and throughout 2022, we have seen multiple stories around the activities of the surveillance-for-hire industry. The flurry of news started when researchers at the University of Toronto’s Citizens lab released information about its investigation of Predator, spyware produced by North Macedonia-based Cytrox. Citizen’s lab identified likely Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. This announcement coincided with Meta’s disclosure that it had banned seven surveillance-for-hire organizations from its platforms among them the aforementioned Cytrox, together with four Israeli, one Chinese, and one Indian hacking outfit. In June, we learned about Hermit spyware developed by Italian outfit RCS labs. Predator has been implicated in an ongoing and politically explosive hacking controversy in Greece described by Politico as “a scandal that has spiralled into Greece’s own version of the US’s 1972 Watergate intrigue.” It turns out that, as the spotlight has been shone on this murky world, we’re discovering that NSO, the now notorious developer of Pegasus, the original iPhone hacking spyware, has many clones and competitors and is ‘only one piece of a much broader global cyber mercenary industry.’ 

Surveillance technology has been around for a long time. The security services in Elizabethan England were adept at opening sealed correspondence without detection. More recently, Edward Snowden revealed how the NSA was collecting vast amounts of sensitive data by tapping into the world’s communications networks. The rise in the use of end-to-end encrypted messaging apps such as Whatsapp, Signal, and Telegram meant that network surveillance was ineffective. Spooks wanted access to phones to read the unencrypted version of these messages, and vendors such as NSO emerged to address this need.

Vulnerabilities and Exploits

For those of us working in mobile endpoint security, the most interesting aspect of these reports is the hard evidence they provide of numerous vulnerabilities in mobile phone software which these actors have discovered and exploited. Unlike off-the-shelf malware, which works by tricking end-users into giving dangerous permissions (for example, allowing the app to overlay screens or intercept messages), advanced malware is impossible for end-users to detect and easily evades anti-virus software. It’s exactly this type of threat that mobile endpoint security solutions are designed to address, and the more we know about their operations, the better we can do our job.

Broadly speaking, software vulnerabilities fall into two categories, zero-day and n-day. Zero-day vulnerabilities are unknown to the software vendor. They are the most dangerous because even well-patched devices are unprotected. N-day vulnerabilities are those which are known to vendors. Generally, these will have been addressed in the latest software release, though sometimes the security implications of a bug may be missed leading to a delay in patching. N-day vulnerabilities matter because we know that only a minority of phones are fully up to date at any point in time. Cytrox, the maker of Predator, spyware for Android, used a combination of zero-day and n-day vulnerabilities in both Android and Chrome to deploy its malicious software.

In June, Google reported the discovery of Hermit, spyware for Android and iOS developed by Italian company RCS labs. Google identified victims in Italy and Kazakhstan. Researchers believe that the spyware was used to target anti-government protesters in the latter country. The iOS version exploited four n-day vulnerabilities and two zero-day vulnerabilities. All vulnerabilities have now been patched by Apple. Google was unable to provide a comprehensive analysis of the Android version of the spyware, which masquerades as a legitimate Samsung app. The initial download does not contain exploits but instead uses the ‘lower tech’ method of tricking users into granting permissions which it then abuses. The app has the ability to fetch and run remote modules, which, researchers speculate, may contain exploits.

What’s lurking in the shadows?

The work of digital privacy organizations, NGO’s, security researchers and public oversight bodies give us important glimpses into the capabilities of mobile spyware, but we must acknowledge how much remains hidden. Most of what is publicly known relates to the use of commercial spyware by governments to political opponents. We know much less about spyware developed in-house by security agencies and almost nothing about its use by cybercriminals and hostile nation-states. However, what we have learned is worrying. We now know that multiple commercial spyware vendors have developed tools similar to Pegasus. From Google’s Threat Advisory Group, we learned that they are tracking over 30 vendors with ‘varying degrees of sophistication and public exposure’ selling commercial surveillance products. It would be foolhardy to assume that such tools are not also in the hands of nation-states and cybercriminals. Moreover, recent disclosures have confirmed that the surveillance-for-hire industry has moved beyond targeting politicians and dissidents and is being used for industrial espionage. Black Cube, one of the entities blocked by Meta, has customers across the medical, mining, minerals, and energy industries and targets organizations in the telecoms, high-tech, legal, financial, and real estate industries.

These revelations have confirmed the existence of multiple tools which have successfully exploited vulnerabilities in both iOS and Android to enable remote access to the full range of smartphone capabilities, including audio, messaging applications, and cameras. Russia’s invasion of Ukraine has returned the world to a geopolitics reminiscent of the cold war. Cyber weapons are increasingly being deployed against civilian targets to disrupt the smooth functioning of the economy and society as well as for financial gain. Your attackers have both the motivation and the capability to target your employee’s mobile devices. The threat posed to organizations by sophisticated spyware has never been more acute. Let vigilance be your watchword.