Pegasus aftermath: How to check yourself if you are being spied on

The spyware is difficult to detect. But help is at hand

The Pegasus scandal is not a case of ‘mass’ surveillance. It is something worse – a method of ‘targeted’ surveillance | Photo: iStock

The revelations made by the Pegasus Project, initiated by Amnesty International and Forbidden Stories, have shown that governments worldwide have been using the Israeli NSO Group’s spyware to indulge in widespread snooping on more than 50,000 ‘targets’ of interest. The list includes journalists, human rights activists, academics, politicians, members of the judiciary, the bureaucracy, investigating agencies and even top health officials.

All this was done by illegally breaking into their phones, despite the Supreme Court decisively ruling that ‘Privacy’ is a Fundamental Right under the Indian Constitution.

Countering terrorism was an argument governments overused to justify snooping on their citizens. In India, the widespread dispersal of mobile telephony facilitated the conversion of a  larger section of the populace into ‘digital consumers’, especially in the last five years. With the expansion of the internet, efforts to build institutions for mass surveillance started gathering pace, although they varied from country to country. In India, the institutional approach to building surveillance systems began with the implementation of projects like the Central Monitoring System in 2007-08. It is important to note that in India these institutions were in place even before a large chunk of the population became a part of the digital user base.

Advertisement

The Pegasus scandal is not a case of ‘mass’ surveillance. It is something worse – a method of ‘targeted’ surveillance. The system allows for specific ‘targets’, especially those critical of the government and, in rare cases, those who are or were a part of the government establishment or even political establishment of the ruling party. For instance, the list includes a prominent member of the Sangh Parivar, Pravin Togadia, the former chief of the Vishwa Hindu Parishad.

Also read: Pegasus rising: Data protection bill could save govt from accountability

There are different methods by which the devices are exploited. Until recently the widely known method involved sending malicious software or link to the ‘target’ that would install the software on the device. What is significant about Pegasus is that it does not even require a ‘click’; this is why the Pegasus method of attack is described as a ‘zero-click install’.

Once a message is sent from a remote server or a location to the target device, it results in the automatic download of the malicious software, followed by installation. This allows for complete remote access. The link could be sent through multiple methods that could include SMS messages, WhatsApp messages, or wireless sharing apps.

Pegasus can be used to manipulate or alter the call records and existing data in the device on which it has been installed. It could be used to send a WhatsApp missed call, which then remotely runs a piece of code (software). This code can extract the attack victim’s call log records and manipulate them. This can be used to create records of calls that were in fact never made by the user and falsely implicate them. Strikingly, the receiver of the malicious missed call does not even have to receive the call for the attack to be initiated.

Developers associated with the free software movement in India have developed a Pegasus spyware detector bot, which helps in detecting if an attack has been commissioned from the database released by Amnesty International. Amnesty has also released scanners for Pegasus.

How It Works

The spyware is difficult to detect and has the ability to control devices. An exploit link paves the way for Pegasus to be installed in the device. Once such a message with the link is received, the spyware is loaded onto the device. A zero-click exploit infects the device without requiring the user to click on the link.

As part of its investigative report, Amnesty International has released a list of more than 1,400 domains that are associated with the spyware. These websites act as a source for malicious software to be installed. The bot’s developers have used this list of domains to crosscheck them with the URL provided to the bot. If you have received a message containing a URL from a domain associated with Pegasus, it is likely that your device has been affected.

How To Use It

To use the bot, you will need to download a Telegram application in Android/iOS. Search for @fsmi_pegasus_detector_bot and share any suspicious URLs or links with it. The bot checks if the URL is associated with the Pegasus spyware and alerts you accordingly. This is a primary test to check if one’s device has been attacked through the known list of vulnerabilities.

Does Using The Bot Ensure That Your Mobile Is Safe?

This bot has been developed to check if a received message contains any known URL associated with Pegasus. Using it can quickly ascertain if a link is potentially dangerous. If the bot is able to positively identify such a link, you can contact the Free Software Movement of India. If you would like to take the DIY route, use advanced tools such as https://github.com/mvt-project/mvt

Also read: Anil Ambani, former CBI chief Alok Verma on Pegasus list of targets

If the URL is not in the list of suspected sites, it does not mean that the device is completely clean or secure. It only means that it is not yet a known risk. The bot is noninvasive and does not scan your device for malware or spyware – it scans only the URL. Its purpose is not to rule out the presence of spyware, but to scan for any attack vector. As forensic tools typically require some technical know-how, the bot makes the first step in the process simpler.

One should always consider the possibility of an attack from another URL that is missing from the Amnesty report, as the list itself is not comprehensive.

Trackers That Come With Other Apps

When we install an application on our device and use its services, we expect that our data and interactions are just with the service we are using currently. Instead, what happens is that the application usually sends our data to various third-party services. These services track our usage of apps and their associated information (hence they are called ‘trackers’). These trackers aggregate the data they obtain from various sources and use them for their gain, or they simply sell the data. For instance, WhatsApp allows several third-party trackers to monitor users’ activity and app usage, with which they can track when they are using the device, when they are sleeping and possibly to whom they are talking.

The apps exploit their users’ innocence when they (the users) concur with the terms and conditions. Most apps have continuous access to geographic location, address book, photos, calendar, camera microphone and other applications on the device, which allow them to monitor user activity continuously. On average any mobile that is installed with social media applications, e-commerce apps, and Play Store services has close to a hundred trackers.

It is not just targeted surveillance that one should be worried about. Mass surveillance that is being carried out on Indian citizens, in the absence of a strong data protection law, leaves them vulnerable. If anything, the Pegasus scandal calls for urgent protection of citizen rights. The distance between digital freedoms and freedom in the real world is no longer as far as we had innocently imagined.

Y Kiran Chandra is general secretary, Free Software Movement of India, and has been associated with issues of software freedom, digital rights and issues of privacy.

https://twitter.com/kiranychandra

Get breaking news and latest updates from India
and around the world on thefederal.com
FOLLOW US: