The NSO Group is an Israeli supplier of spyware that claims to market all the surveillance tools–the best-known being the Pegasus spyware-exclusively to government agencies and government agencies in order to fight against their goods.
In recent years it has been used for the targeting of Amnesty International staff, HRD, Saudi Arabia, UAE, Mexico, Morocco, and Rwanda activists and journalists.
How Pegasus works
According to the reports by Facebook, the parent company of ‘Whatsapp’, its a flaw of the programming language known as “Buffer Stack Overflow” or simply “Buffer Outrun“, we will discuss it later but for now, a short brief is, it is a programming language vulnerability the makes the software able to write data in the memory locations which is not desirable from a software product.
Now, this does not mean that coding of the WhatsApp is erroneous. But it is a coding fallacy the developers need to handle properly.
Concepts of illegal memory writing
Let’s say you have developed software and you aim to take a password input from the user and your software is meant to store the data in your system as files. Now say code is designed to accept a data input of 128 Bit and can store the data straight in the storage system. But a user gets to know that your code can only handle 128 Bit, and he enters an input that exceeds the Bit limit. In such a situation, your program is bound to work abnormally.
In some specific scenarios, hackers will send 128 Bit data followed by malicious code. Then your code may store the first 128 Bit data like the password in the specified memory space but if properly not handled then it can continue writing the rest of the data in the memory locations in a contiguous manner. This abnormal data stored in the unauthorized memory stack is not under the control of the application, which has written the data, so after writing the data you cannot detect or delete that malicious code. That malicious code can execute independently with some already given permissions like GPS, messages, call logs, microphone, camera, and even network DNS and can install malicious executables to your system.
Even if you are thinking that if your WhatsApp is hacked you can get rid of the malware simply by uninstalling the WhatsApp. But unfortunately, after installing malicious executables it won’t gonna work. As the code it has written is not under the control of WhatsApp itself. So uninstall will leave the malicious code left unaffected in your phone.
Yes, you can stop the code from stealing your data by uninstalling if it is only designed for WhatsApp. But installing it again malware will start working again. The only way out is factory format your phone. Learn More.
How did the targeting via WhatsApp work?
NSO Group till May 2019 exploited a security vulnerability in WhatsApp. The digital attack triggered WhatsApp calls to the device of the target to exploit this. Attackers may have tried to take advantage of this problem by making multiple calls during the night when the target was likely to be asleep and not hear such calls. Successful device infection with the target can cause the app to crash. They can also manually remove the evidence of these calls from the call logs on the computer. Failed attack evidence can show up in your WhatsApp call log as missed calls by unknown numbers.
The Fear Factor
According to the official reports by Facebook, over 1000 users, which includes 121 Indians, were attacked by this malware Worldwide. But the behavior of the malware shows it is not designed to surveillance mass users. Hackers intentionally select users to perform an attack on victim’s devices. Till now it is found that Public figures, human rights activists, top government officials, journalists have been selected for the attack.
But the Israeli NSO group accepts the fact of having such malware named “Pegasus” but they claim that they only sell the malware to the government authorities to combat terrorism and crime, it is not available for individuals.
So, if you are a normal user of WhatsApp like me, you are safe for now. But be aware of any abnormal behavior of your installed applications and phone as a whole, who knows when you are under attack?
A security message notified by WhatsApp’s parent company Facebook said, “A stack-based buffer overflow could be triggered in WhatsApp by sending a specially crafted MP4 file to a WhatsApp user.”
Identified as CVE-2019-11931, this vulnerability message is similar to the one received by CERT from WhatsApp during the Pegasus snooping case.
According to the communication, this weakness could allow a remote attacker to force “Denial of Services (DoS) and Remote Code Execution (RCE)” which could be used to compromise any device running Android, iOS or Windows.
According to CERT, “The exploitation does not require any form of authentication from the victim end and executes on downloading of malicious mp4 file on victims system.”