The Pegasus Spyware: Unmasking the Surveillance Industry

Introduction: The Infamous NSO Group

NSO Group, an Israeli cybersecurity firm, is best known for its notorious spyware, Pegasus. Marketed as a tool for "fighting terrorism" and aiding law enforcement investigations, Pegasus has instead been widely used by authoritarian regimes and governments to spy on journalists, dissidents, activists, and political opponents.

How Pegasus Spyware Works

Pegasus is a zero-click spyware, meaning it can infect a target’s phone without the victim clicking a malicious link or downloading anything. Some of the attack vectors used by Pegasus include:

Zero-click iMessage Exploits (Apple Devices)

• Previously leveraged vulnerabilities in iMessage to install itself without user interaction.
• Apple has since patched many of these exploits, but new ones continue to emerge.

WhatsApp Video Call Exploit (2019)

• Pegasus exploited a vulnerability in WhatsApp’s call handling—just receiving a call could compromise the device.

Baseband Exploits & Silent SMS Attacks

• Some spyware, including Pegasus, exploits vulnerabilities in baseband firmware to silently track, intercept, or manipulate network-layer communications.
• This means that even if a phone is secure at the OS level, its baseband can still be compromised.
• Such attacks may involve DIAG mode exploits, TLV vulnerabilities, or malformed signaling messages.

Zero-Day Vulnerabilities in Browsers & OS Kernels

• NSO has also leveraged browser exploits (Safari, Chrome) and kernel vulnerabilities to gain remote access.

The Surveillance-for-Profit Industry

NSO Group is only one of many companies profiting from the surveillance economy. Other notable players include:

• Cytrox: Creator of Predator spyware, a Pegasus alternative.
• Candiru: Another Israeli firm specializing in state-sponsored hacking tools.
• FinFisher (Germany): Provided spyware to oppressive regimes before being shut down.

These firms do not participate in bug bounty programs. Instead, they hoard zero-day vulnerabilities and sell them to the highest bidders—often government entities that use them for covert surveillance.

What Can Be Done?

Apple & Google Hardening Security

• Apple introduced Lockdown Mode in iOS to limit attack surfaces like iMessage and Safari WebKit exploits.
• Android security patches continue improving, but baseband vulnerabilities remain difficult to address.

Baseband Security: A Major Blind Spot

• Offensive researchers are exposing weaknesses, but vendors (Qualcomm, MediaTek) keep baseband firmware locked down.
• This secrecy allows continued exploitation by governments and private actors.

Protecting Journalists & Activists

• Security experts recommend burner phones, disabling iMessage & FaceTime, and avoiding high-risk apps.
• Greater transparency about spyware use is needed, though governments are unlikely to comply.

Has Pegasus Been Reverse-Engineered?

Security researchers have analyzed traces of Pegasus infections, but the full source code of the spyware has not been made public.

Key Research Efforts

• The Citizen Lab (University of Toronto) and Amnesty International have published forensic reports detailing Pegasus' attack methods.
• Kaspersky, Lookout, and other cybersecurity firms have analyzed fragments of Pegasus payloads.

Why Hasn't It Been Fully Reverse-Engineered?

NSO Group employs several strategies to prevent forensic analysis:

• The spyware self-destructs when it detects forensic attempts or debugging activity.
• It operates at a low level (baseband, kernel, WebKit) to minimize traditional malware traces.
• Pegasus runs in-memory and does not persist on disk like traditional malware.

Legal and Governmental Barriers

• Pegasus is classified as a weapon-grade cyber tool and subject to Israeli export restrictions.
• Releasing a full reverse-engineering could put researchers at legal risk.

What Parts of Pegasus Have Been Analyzed?

Although a full breakdown has not been made public, researchers have documented key attack techniques:

• Forensic tools (from Citizen Lab & Amnesty) can detect artifacts of Pegasus infections.
• Apple’s Lockdown Mode was built in response to Pegasus behaviors.
• Exploits used by Pegasus (e.g., FORCEDENTRY, KISMET) have been dissected.
• Indicators of Compromise (IoCs) linked to Pegasus are publicly documented.

Are Hackers Trying to Reverse It?

Yes, but several challenges make it difficult for independent researchers:

• Live Pegasus samples are rare and difficult to obtain.
• The spyware self-destructs before deep forensic analysis can occur.
• NSO’s clients (government agencies) use customized versions, complicating tracking efforts.

Conclusion

Pegasus has been partially reverse-engineered, but a full technical breakdown remains elusive due to its self-destruct mechanisms, legal risks, and sophisticated obfuscation techniques.

NSO Group and similar companies continue to exploit low-level attack surfaces—including baseband firmware, DIAG debugging interfaces, silent SMS vulnerabilities, and OS-level zero-days—to enable their spyware.

Rather than participating in ethical bug bounties to improve global security, these firms sell exploits to surveillance states, allowing them to track, intimidate, and suppress political opposition.