[EDITOR’S NOTE: See CPJ’s updated safety advisory here.]
In a report published on September 18, Citizen Lab said it had detected Pegasus, a spyware created for mobile devices, in over 45 countries. Pegasus, which transforms a cellphone into a mobile surveillance station, could have been deployed against a range of journalists and civil society actors in Mexico, Saudi Arabia, Bahrain, Morocco, Togo, Israel, the U.S., and the United Arab Emirates, the report found.
Researchers have previously identified a number of major Pegasus campaigns, including one against investigative journalists in Mexico, and another against human rights workers in Saudi Arabia. The spyware’s presence in 45 countries raises significant implications for journalists, both in terms of their own security as well as the safety of their sources.
The spyware gives the attacker the ability to monitor, record, and collect existing and future data from the phone. This includes calls and information from messaging applications and real-time location data. The spyware is able to remotely activate the camera and microphone to surveil the target and their surroundings.
Pegasus is designed to be installed on phones running Android, BlackBerry OS, and iOS without alerting the target to its presence. Journalists will likely only know if their phone has been infected if the device is inspected by a tech expert.
Pegasus can be installed in a number of ways. Journalists should be aware of these methods and take appropriate steps to protect them and their sources.
Spear-phishing attacks
Attackers create tailor-made messages that are sent to a specific journalist. These messages convey a sense of urgency and contain a link or a document which the journalist is encouraged to click on. The messages come in a variety of forms, including SMS, email, through messaging apps such as WhatsApp or via messages on social media platforms. Once the journalist has clicked on the link, then the spyware is installed on their phone.
Research by Citizen Lab and Amnesty International found that messages tend to take the following forms:
- Messages purporting to be from a known organization such as an embassy or a local news organization
- Messages that warn the target may be facing an immediate security threat
- Messages that raise any work-related issue, such as covering an event that the target usually reports on
- Messages that make appeals to personal matters, such as those relating to compromising photos of partners
- Financial messages that reference purchases, credit cards, or banking details
The suspect messages may also arrive from unknown numbers.
Attackers can target personal and work phones. To better protect themselves and their sources, journalists should:
- Verify the link with the sender through a different channel of communication. This should preferably be through video or voice
- If the sender is not previously known to you, secondary channels may not provide successful verification of the links, as secondary channels may be set up by the adversary as part of an elaborate cover identity
- If the link utilizes a URL shortener service like TinyURL or Bitly, input the link into a URL expander service such as Link Expander or URLEX. If the expanded link looks suspicious, for instance mimicking a local news website but not being quite the same, do not click the link and forward it to phishtank@cpj.org
- If you feel you need to open the link, do not use your primary device. Open the link on a separate, secondary device that does not have any sensitive information or contact details, and is used solely for viewing links. Carry out a factory reset on the device regularly (keeping in mind that this might not remove the spyware). Keep the secondary device turned off, with the battery removed, when not in use
- Use a non-default browser for the phone. Pegasus is believed to target default browsers. The default browser for Android is Chrome and the default browser for iOS is Safari. Use an alternative browser such as Firefox Focus and open the link in that. However, there is no guarantee that Pegasus will not, or has not, already targeted other browsers
Physically installed by an adversary
Pegasus can also be installed on your phone if an adversary gains physical access to the device. To reduce risk:
- Do not leave your device unattended and avoid handing over your phone to others
- When crossing a border or checkpoint ensure that you can see your phone at all times Turn off the phone before arriving at the checkpoint, and have a complex passphrase consisting of both letters and numbers. Be aware that if your phone is taken then the device may be compromised
If you believe your phone is infected by Pegasus immediately stop using that phone and purchase another one. You should leave the suspected device in a place that does not compromise you or your surroundings. If you have access to tech support through a media organization, contact them immediately for assistance. If you are a freelance journalist or a journalist that does not have access to tech support, contact the Access Now Helpline.
CPJ is working alongside our partners to understand the full scope of the threat Pegasus poses to journalists. If you have received a suspicious message and believe you may have been targeted by Pegasus, please forward the message to phishtank@cpj.org. This information will be handled confidentially.
For more information on technology security we encourage journalists to review the CPJ’s Security Guide’s Chapter on Technology Security and see the digital safety information included in our Resource Center.
With thanks to Citizen Lab for valuable insight.