El Salvador is the latest country to register numerous victims of Pegasus spyware. NSO Group, an Israeli firm, sells the Pegasus software to government agencies and law enforcement that enables them to hack iPhones. Pegasus spyware allows access to mobile devices data without the victim knowing or needing to click on anything.


Citizen Lab and Access Now have confirmed that 35 journalists and activists in El Salvador were targets of the highly invasive Pegasus software to extract information from their cellphones as civil liberties deteriorated in the country as they investigated alleged state corruption.


Sofía Medina, spokeswoman for President Nayib Bukele, said in a statement that “El Salvador is no way associated with Pegasus and nor is a client of NSO Group.” She said the government does not have licenses to use this type of software, AP News reported. “Medina said that on Nov. 23 she, too, received an alert from Apple as other victims did saying she might be a victim of state-sponsored hacking. She said El Salvador’s justice and security minister received the same message that day. The Citizen Lab investigation did not include government officials, Medina said.”


Ever since Lookout and the Citizen Lab first discovered Pegasus back in 2016, NSO has maintained the stance that the spyware is only sold to a handful of intelligence communities within countries that have been thoroughly vetted for human rights violations, says Hank Schless, Senior Manager, Security Solutions at Lookout, a California.-based endpoint-to-cloud security company. “Their proactive statements about the Citizen Lab is just another attempt at maintaining this narrative in the media. Last year’s exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims. It seems that every couple of months, there’s more evidence mounting against NSO’s claims. This has driven many national governments, including the United States, to impose sanctions on the company.”


One prominent news editor’s device was found to be infected 42 times with Pegasus, and others were also infected over a dozen times, Schless says. “Recent observations of Pegasus show that it can be delivered through a zero-click delivery model, which means that it takes advantage of automated processes on the mobile device to execute the payload and infect the device. This means the user doesn’t even have to interact with the malicious link or file. While Pegasus doesn’t persist on the device through a reboot, its operators will often redeliver it to the target if they notice that there are no longer signals coming from the device for a particular amount of time. Since delivery and infection can take place without interaction from the user, operators can redeliver the malware over and over with high efficacy as proven in this case.”


While Pegasus itself targets iOS users, there’s also an Android component known as Chrysaor, which is also developed by NSO and was uncovered in 2017 by a combined effort between Lookout and Google, Schless explains. “Named after Pegasus’ brother in mythology, Chrysaor has almost the exact same capabilities on Android as Pegasus does on iOS. This includes gaining root access to the target device and being able to read anything on the device, even if it’s in an app with encrypted messaging. Chrysaor is different from Pegasus in that it relies on a well-known rooting technique called Framaroot. The attack chain is still the same between both Pegasus and Chrysaor. The attacker sends the targeted individual a socially engineered message across any platform with messaging capabilities and silently delivers the vicious surveillanceware to the device.”