Since the information about Pegasus has come forward, everyone is scared about getting their phones hacked. A leaked list revealed that more than 1400 people including 2 serving ministers, 3 opposition leaders and over 40 journalists’ and one sitting judge were targeted by the Israeli spyware.
The way the software works has evolved from its earlier methods by using text links or messages to ‘zero-click’ attacks. Zero-click attacks mean it no longer requires any action from the phone’s user. The spyware has become more potent and almost impossible to detect or stop.
The Guardian quoted Claudio Guarnieri, who runs Amnesty International’s Berlin-based Security Lab, saying that once a phone was infiltrated, Pegasus had “more control” over it than the owner. This is because in an iPhone, for instance, the spyware gains “root-level privileges”. After this, it can view everything from contact lists to messages and internet browsing history and send the same to the attacker.
How does the zero-click attack work?
A zero-click attack helps spyware gain control over a device without any human error or interaction. So, avoiding some links or any type of phishing attacks becomes pointless as the target is the system. These attacks target the software receiving data even before it determines whether it is safe.
Cybersecurity firm ZecOps claimed Apple devices such as iPads and iPhones have had a traditional vulnerability to unassisted attacks, especially by its mail app earlier this year. From iOS 13, this became a vulnerability to zero-attacks too. A ZecOps blog published this April said, “The vulnerability allows remote code execution capabilities and enables an attacker to remotely infect a device by sending emails that consume a significant amount of memory.” However, Apple reportedly patched this in April 2020.
The vulnerability in Android phones running version 4.4.4 and above the vulnerability was by the graphic library. Attackers have also exploited vulnerabilities in Whatsapp, where a phone could be infected even if an incoming malicious call was not picked up, and in Wi-Fi, chipsets users to stream games and movies.
However, Amnesty claims even patched devices with the latest software have been breached.
Can these attacks be avoided?
Zero-click attacks are hard to detect given their nature and hence even harder to prevent. In encrypted environments, due to no visibility on the data packets being sent or received, detection becomes even harder.
Users can ensure all operating systems are updated and do not have patches for vulnerabilities that are being resolved by the companies. Also, do not download anything from other websites except Google Play and Apple’s App Store. One way, although a little extreme would be to stop using apps altogether and switch to the browser for using social media and checking emails, even on phone.