PEGASUS

A troubling exposé of invasive malware meant to spy on criminals but that instead targeted journalists and politicians.

In 2013, Israeli firm NSO Group developed Pegasus, spyware easily introduced into mobile phones, and made a fortune selling it to governments that had no intention of applying it to its nominal targets: “terrorists, criminals, and pedophiles.” As French journalists Richard and Rigaud write, a leaked data dump that landed on their desks showed that Pegasus—created after Apple refused to allow law enforcement agencies a back door into its phones, reasoning that “the black hats were sure to get them, too, and could then do damage to innocent people”—was used by governments against journalists and activists critical of their regimes. By the authors’ account, the Saudis used Pegasus to track murdered journalist Jamal Khashoggi. “Traces of evidence in the Android phone belonging to Khashoggi’s wife, Hanan, suggested she had been targeted by Pegasus spyware before his murder but did not prove a successful infection,” they write. Other journalists in places such as Mexico and Azerbaijan were also targeted, often before being jailed or killed, as were political opponents of the governments of India, Hungary, and Morocco, among others. Distributing the work of electronic forensics to identify the targets in that leaked database, Richard and Rigaud recruited numerous partners, including the Guardian and the Washington Post, coordinating a series of stories that showed how Pegasus was distributed through holes in the phones’ security. As the latter publication revealed, “When iMessage was just an Apple version of SMS, it was pretty locked down…but once the app allowed iPhones to download video and GIFs and games, it became significantly less secure.” Apple and Android phones have since become more secure, but the black hats are usually a step ahead.

An urgent cautionary tale for those who “hope to forestall the Orwellian future” of cybersurveillance.