Pegasus can harvest any information, SMS messages, or call history from target: Cdr. Subhash Dutta (Retd), Sequretek

The Pegasus issue, which grabbed headlines a couple of weeks ago, may no longer be in the news as much as it used to be. However, that does not take away from the fact that the software, if misused, could be a humungous threat to privacy. Although NSO Group technologies has clarified that the software is only used to track crime, the recent controversy of Pegasus being used to possibly spy on eminent personalities is a cause of concern.

The Pegasus episode has led to various people asking questions such as how does the software work? Are there any laws to prevent its misuse? What are some of the signs one can watch out for to know if their devices are hacked? In an interview with Dataquest, Cdr. Subhash Dutta (Retd), chief of operations and head - Malware Research, Sequretek answered all of those questions.

DQ: How does the Pegasus spyware work exactly?

Subhash Dutta: Pegasus utilises existing software present in all mobile operating systems to steal information.  What is unique to this particular malware is its ability to infect target phones running most versions of iOS and Android operating systems.  Pegasus can be installed on a phone through vulnerabilities in common apps, or by tricking a target into clicking a malicious link.  Once installed on a phone, Pegasus can harvest any information or extract any file including, SMS messages, address books, call history, calendars, emails.  In addition, it can extract the phone’s location data, record calls, activate its camera and microphone to eavesdrop on conversations.

DQ: NSO Group Technologies maintains that this software is only used for tracking illegal activities. Are there any laws to prevent its misuse?

Subhash Dutta: Yes, the existing laws of India prohibit interception of communications unless authorised by designated authorities. Authorised communication surveillance in India takes place primarily under two laws — the Telegraph Act, 1885 and the Information Technology Act, 2000. While the Telegraph Act deals with interception of calls, the IT Act was enacted to deal with surveillance of all electronic communication.

DQ: What are some of the signs one can watch out for to know if their devices are hacked?

Subhash Dutta: While Pegasus is a fairly sophisticated piece of spyware, there are by now a few indicators to detect its presence.  The most comprehensive detection tool is developed by Amnesty International, called Mobile Verification Toolkit (MVT). The source code is open source, and it is felt that by now would have been incorporated by most antimalware protection products.  Some of the signs to watch out for include – sudden deterioration in phone’s performance, unknown apps installed and, a sudden spike in data consumption.