The NSO Group Pegasus spyware scandal was uncovered thanks to a single fake image file mistakenly left on an activist’s iPhone.
Spyware known as Pegasus was discovered last summer to hack into iPhones and Android smartphones belonging to journalists, activists and political opponents of certain governments around the world. In total, over 50,000 phone numbers have been impacted by various governments through Pegasus. How was all this discovered? Thanks to a fake image file.
Pegasus spyware hides all traces of its presence on the iPhone after uploading user data to its controller, but an error caused the tool to leave a single fake image file inside the iPhone of Loujain al-Hathloul, an activist from Saudi Arabia.
After his release from prison in February 2021 on suspicion of national security, al-Hathloul received an email from Google warning him that hackers had tried to attack his Gmail account. At that point, the woman thought her iPhone might also be a government target, so she asked Citizen Lab to do a check.
Six months later, it was discovered that a Pegasus malware error left a single malicious file inside the device. The dossier then served as direct evidence that Pegasus was produced by the NSO Group.
“It was a game-changer”said Bill Marczak, a researcher at Citizen Lab. “We have captured something society thought was unachievable”.
The file was also used to determine a hacking scheme used by Pegasus, which allowed Apple to notify thousands of potential victims of the possible attack. The discovery also helped Apple release an update to fix the vulnerabilities used by Pegasus and subsequently take legal action against the NSO itself.