A Canadian university recently released a study of cellphone spyware and claimed it had identified legal (for government agencies) spyware being used in 45 countries to secretly reside on Apple iPhone cellphones and send activity on the cellphone back to those who put the spyware on the phone. This spyware (Pegasus) was made by an Israeli firm (NSO Group) and has been available since 2010. NSO is continually upgrading Pegasus to work on subsequent versions of IOS (the iPhone operating system).

NSO responded to the university study by pointing out that it only sold to governments and had no control over what happened to Pegasus after a user obtained it and put it to work. Moreover, there are many apps out there similar to Pegasus which, while not as effective as Pegasus, are often sold to criminal organizations and anyone who can pay. Such spyware has been around since shortly after cellphones first appeared. Israel is often the target of such spyware since many governments and organizations hostile to Israel try to use such spyware against Israel. For that reason, Israel has become the foremost producer of Internet security software as well as spyware. Naturally, the Israelis do not want this security software used against them and one method for doing that is to make spyware detection and prevention software widely available.

Earlier in 2018, there was a highly publicized example of what NSO was talking about. It was revealed in the media how a successful cellphone spyware incident involved a group of Pakistani hackers, who specialized in creating and maintaining surveillance software (similar to Pegasus) for parents to track their children (or a spouse). This group was apparently hired by the Pakistani ISI (Inter Service Intelligence agency, the local equivalent of the CIA/NSA) to create spyware (Stealth Mango for Android and Tangelo for IOS) versions of the surveillance software and then help distribute it to some key government officials and civilians in Afghanistan, India, Iraq, Iran, the United Arab Emirates and Pakistan using Facebook Messenger. This approach uses a lot of “social engineering” as the hackers must contact the target individuals and persuade these potential victims to download an app that pretends to be something other than spyware. Most targeted individuals were either not interested or didn’t trust the offer. The most secure (resistant to this spyware) cell phone was the iPhone and the spyware would only work on the small number of iPhones that that had been modified (“jailbroken”) to run apps that did not come from the Apple App Store. As usual, the Android phones were much more vulnerable. In any event, it appears that only about a dozen people were persuaded to install the app. That, it turned out, was enough key people to collect a lot of important data.

The Stealth Mango/Tangelo effort was another intelligence-gathering operation that, in this case, collected a lot of sensitive data about American and Australian military and diplomatic activities. Collecting and transmitting the data (without the phone owner being aware) was how Stealth Mango/Tangelo was discovered (by an Australian Internet security company) in early 2018. Stealth Mango/Tangelo needed a lot of permissions on the infected phone in order to work and mostly went after data (documents and photos) as well as messages, location and contact lists. At least 40 GB of material was stolen from the infected phones by the hackers before Google and Apple were informed and victims were notified and the spyware was disabled. But it will be back. Actually, this sort of spyware has been around for quite a while and the latest ISI use of it was just another example.

The Canadian university researchers who accused NSO of selling Pegasus to governments who use it to spy on local government critics called for restrictions on who could buy Pegasus and use it for activities many Westerners do not approve of. It is a little late for that because spyware and Internet monitoring software is a huge industry and spyware, in general, is considered generic. Many developers are in countries that don’t care if Westerners are offended by how spyware is used. Actually, some countries see such criticism as a form of praise. NSO already sells its spyware openly and subject to scrutiny by Israeli and other Western intelligence agencies. It’s the spyware that is not created and used (whether sold or not) for spying on cellphone and Internet users that you should be worried about. But complaining about that stuff won’t gain you much recognition for academic Internet security researchers.