In February 2024, Pegasus spyware was discovered on MEP Nathalie Loiseau’s mobile phone. This hack again shows that it is possible to install spyware on a mobile without the owner’s knowledge.
The companies that sell these devices tout their virtues in the fight against terrorism. Except their clients, often governments, use this turnkey software against anyone.
40 companies operating in the field of spyware supply
In a detailed analysis, Google counted 40 companies operating in this niche that may not be based in authoritarian countries. It is the entire service that is being sold, not just the software. It includes the infrastructure that allows you to communicate with the spyware and collect data (text messages, passwords, emails, location, phone calls, or video or audio recordings).
The companies that market them are not secretive, although they are not very accommodating to their customers or the actual use of their products. These companies have websites, job postings, engineering teams, press releases, and are present at international cybersecurity conferences.
In response to this threat, both Google and Apple are increasing their efforts to secure Android and iOS. These multinational companies have too much to lose by losing trust on the part of their users: the price of the monitoring service offered by the spyware producers is affected.
For 8 million euros, it is possible to install the software on 10 mobile devices (no more) at the same time using “one-click exploitation”, otherwise the target’s only interaction with their mobile, via a link to a document that can be opened to install the software. Sometimes you don’t even need any interaction at all: just deliver the message. For an additional 1.2 million euros, destinations can be abroad.
When spyware infects its target, it doesn’t necessarily stay there permanently. It could be programmed to “pass out” without attracting the attention of the smartphone owner. However, there is a possibility of persistence: to keep the software installed on the phone, expect an additional cost of 3 million euros. At this price, many customers will prefer to reinfect the target when they need it. And only governments can afford such investments.
3-phase infection
You have to go a long way to get to the theme of your goal. And take advantage of a number of vulnerabilities that Google and Apple do not know about, otherwise these digital giants would fix them. In order for spyware to be installed, they must fit together.
The first vulnerability: a flaw in the mobile operating system that allows an elevation of privilege that spyware will benefit from. It is not enough ; a second, called a “sandbox”, is needed. Each mobile app works in isolation, using an area of memory where it does what it’s supposed to do, but from which it can’t access the rest of the mobile unless permission is granted during installation (usually ).
So the second vulnerability is the one that allows you to get out of the sandbox and wander all over the place without alerting the end user. Finally, we need the missing link: a third vulnerability, one that allows remote code execution, such as a series of special characters sent to a messaging app that will interpret it as computer code to be executed.
Sometimes this step can be avoided by sending a link to the destination, supposedly from a mobile operator, with a link to click to restore a good connection quality. This link is a trojan horse to download the app without going through the Play Store or Apple Store to quickly detect it. The companies that sell this software obviously have researchers who (by trial and error) discover these vulnerabilities, but they also buy them.
Get over it
The difficulty of finding these vulnerabilities and putting them to music is itself a guarantee against the risks of espionage. There aren’t many that allow these intrusions: Google counted 53 in 4 years, 33 of which were discovered by spyware companies. Every time Google or Apple researchers take one apart and come up with a fix, it’s spyware that no longer works, and the company selling it is greatly weakened.
Thanks to the efforts of researchers who track them down and reveal their true colors, such as the Citizen Lab that discovered Pegasus, spyware vendors have to change their names and disappear, which is obviously not good when we have a commercial network. Their leaders, while unimpeachable in their country of origin, may be subject to subpoenas, convictions or international arrest warrants.
The United States has decided to crack down on these companies (probably they don’t need them for their own purposes: the NSA has everything they need in their drawers). Sanctions are applied to those who cross the red line. Another axis is putting pressure on the countries and governments that host these companies. Washington has even announced a restrictive visa policy for anyone who misuses the software.
In March 2023, Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland and the United Kingdom and the United States pledged to combat the proliferation of these tools. Their stated goals: to limit the export of the technology that enables the development of these surveillance systems, to engage civil society in monitoring this software, to share information, to put users at risk to have their cell phones checked.
Moving this business into the shadows would make access more difficult. However, governments remain ambivalent about this tool, which can harm them, but which they do not always hesitate to use.
In the European Media Freedom Act, which has just been passed to protect journalism in Europe, the use of spyware against the press is not completely prohibited, but reserved for serious cases, with imprisonment at stake, based on a court order. The target will have a right to know and will be able to challenge this use in court. In 2023, some countries fought to include national security cases in the use of spyware.
Charles Cuvelliez, University of Brussels, Ecole Polytechnique de Bruxelles and Jean-Jacques Quisquater, University of Louvain, Ecole Polytechnique de Louvain