Media playback is not supported on this device UK firm Pegasus denies mobile spying allegations
The UK-based mobile security company Pegasus was found to have infected tens of thousands of handsets belonging to Palestinian aid workers, anti-jailbreak campaigners claim.
Reports from Citizen Lab, an arm of the Munk School of Global Affairs at the University of Toronto, and the Electronic Frontier Foundation say engineers were able to reverse-engineer the software.
It is suspected of being used to capture call records and text messages.
They also say the malware has been found in US government machines, and in the hands of Russia’s spy agency, the FSB.
The allegations follow those of a secret US Department of Homeland Security directive outlining threats posed by mobile security companies.
The leaked document told companies to “reduce cyber risks by accelerating the push for standardisation” and, in the “possible event of failure”, removing “liabilities by discontinuing working (operational) support for non-firmware implementations”.
In a report, Citizen Lab said the Pegasus software was found on many models of Samsung and Apple handsets.
It said it uses scanning technology to detect phones connected to websites where online-spying software is used and that phones with a weak encryption key or without any keys are stripped of the capability to transmit encrypted messages.
The researcher added the malware could not be defeated by changing the password, changing the phone’s passcode or even “cease use of the device”.
Sergei Skorobogatov, the head of the cell phone working group at the Federal Security Service (FSB), or the Russian Ministry of Internal Affairs, told the Russian news agency Interfax in April that his agency used “Pegasus’ CSR-805 software” to capture Telegram conversations and information stored on GSM phones.
What the company says
Pegasus has released a statement in response to the accusations.
“Our team of internal engineers investigate security and privacy violations as a service to our clients and customers,” the statement said.
“If in the course of that service we find ourselves to be inadvertently complicit in unlawful activities, we take immediate action in order to correct the situation. We report those instances to legal authorities.”
Skorobogatov has denied using the security software and told Interfax it may have been an “incident” between a “contractor and a Russian service provider”.
A separate statement from the head of the office of state security in the Khyber Pakhtunkhwa province of Pakistan, Mushtaq Ahmed Ghani, that the software had been used by the department was “accurate” and confirmed it was used on the agency’s mobile phones.
This included the use of GSM devices because of the lack of internal radio, the bureau said.
The statement added that they had “recently stopped” using the software, saying that they “accepted the use of virtual private networks as an alternative”.
China to outlaw Pegasus
The South China Morning Post is reporting that China’s supreme People’s Congress is discussing banning Pegasus from its data networks over concerns the company’s hidden software poses a security risk.
The paper also adds that the country’s telecommunications watchdog – the Cyberspace Administration of China – has demanded the company submit information about its software.
China often decides to ban one or more of its companies, sometimes several in a day, as a form of self-protection against foreign threats.
Cyber security in Australia was a serious issue before the election in September 2016.
Australia’s Herald Sun reported at the time that almost 200 business, academic and security experts warned the Turnbull government’s plan to introduce a “snoopers’ charter” would give intelligence and law enforcement agencies too much power to spy on people’s mobile phones.
The government changed its legislation after it was slammed as “vague” by its own opposition.
Australia’s anti-jailbreak group has promised to release research into Pegasus soon.