Zero-click installation that requires no action from the target is not the only feature that makes Pegasus super spyware that it is. What also makes it unique is the ability of active collection, which gives attackers the power to control the information they want to collect from the target device.

This set of features, says a marketing move by Israeli company NSO Group developed by Pegasus, is called active as they hold their collection at the explicit request of the operator and differentiate Pegasus from any other intelligence gathering solution, namely spyware.

Instead of just waiting to get the information, hoping that this is the information you are looking for, the operator actively pulls important information from the device, getting the exact information he was looking for, says the height of the NSO.

Active data extraction

The NSO group categorizes eavesdropping into three levels: initial data extraction, passive monitoring, and active collection.

Unlike other spyware that offers only future monitoring of partial communications, the NSO says, Pegasus allows the extraction of all existing data, including historical data, on the device to build a comprehensive and accurate intelligence picture. The initial output sends SMS data, contacts, call history (log), emails, messages and browsing history to the command and control server.

While Pegasus monitors and retrieves new data in real time or periodically if configured to do so from an infected device, it also makes available a full set of active collection features that allow an attacker to take action on real-time to mark and retrieve unique information from the device and surrounding area to its location.

Such active derivations include:

GPS-based location tracking: If GPS is disabled by a target, Pegasus enables it to take samples and turn it off immediately. If no GPS signal is accessible, the cell ID is obtained.

Ambient sound recording: Pegasus detects if the phone is idle before turning on the microphone through a silent incoming call. Any action by the target that lights up the phone screen results in the immediate closing of the calls and completes the recording.

Taking pictures: Both front and rear cameras can be used after Pegasus detects that the phone is in idle mode. Photo quality can be predetermined by an attacker to reduce data usage and ensure faster transmission. The OST warns that since the flash is never used and the phone may be moving or in a dimly lit room, pictures may sometimes be out of focus.

Rules and alerts: A number of conditions can be set in advance for real-time action, such as geo-fencing alerts (target enters or exits a specified location), appointment alerts (when two devices share the same location), alarm connection (a call or message sent or received by / from a specific number), and the content alarm (a specific word used in a message), etc.

Invisible transmission

The transmitted data is encrypted with 128-bit symmetric AES encryption. Even during encryption, says NSO, extra care has been taken to ensure that Pegasus uses minimal data, batteries and memory to make sure the target does not become suspicious.

This is why Wi-Fi connections are preferred for the transmission of collected data. The NSO says it has thrown an extra thought into compression methods and focusing on transmitting textual content when possible to minimize data traces to just a few hundred bytes and ensure minimal impact on the mobile data plan of goals.

Data transmission stops automatically when the battery level is low, or when the target is roaming. When transmission is not possible, Pegasus stores the collected data in a hidden and encrypted buffer which is set to reach no more than 5 percent of the free space available on the device. In rare circumstances where no transmission is possible through secure channels, an attacker may collect urgent data through text messages but this, the NSO warns, could cause costs to appear on the target phone bill.

Communication between Pegasus and the central servers is done through the Pegasus Anonymous Transmission Network (PATN), which makes tracing impossible. PATN nodes, says NSO, have spread all over the world, redirecting Pegasus connections through various paths before reaching Pegasus servers.

The function of self-destruction

The Pegasus comes complete with an efficient self-destruct mechanism. In general, says the NSO, we understand that it is more important that the source is not exposed and the target will not suspect anything but keeping the agent alive and his work. Any exposure risk automatically activates the self-destruction mechanism, which also takes effect if Pegasus does not communicate with its server from an infected device for 60 days or a personalized period of time.

There is a third scenario in which the self-destruction mechanism is activated. From the day it released Pegasus, the NSO Group has not allowed Pegasus to infect US phone numbers. The company does not even allow infected phones to travel to the United States. The moment a victim enters the U.S., Pegasus on its device switches to self-destruct mode.