Back in the days of Windows XP, malware roamed free. By opening the wrong file or clicking the wrong link – or in some cases even doing nothing at all – you could infect your PC and that was that. Once run, any application had a complete run of the system and all its data. Want to take a sneaky snapshot from the webcam without the owner knowing? Sure. Want to read all your emails? OK. Want to sit, hidden, in the background and report back everything the user does? Make yourself at home.
As well as malware, this also bred a generation of real applications that would just make themselves a little too comfortable on your computer, for example by watching your actions to check adherence to licencing requirements, or displaying unwanted ads.
The much-hated Windows Vista actually made massive architectural leaps forward to combat this, and baby-steps through to Windows 10 have made it immeasurably more solid again. Mac OS has followed a parallel evolution.
But Android and iOS are different from the ground up, and much more secure. For most mobile users, anti-virus solutions are unnecessary. At an architectural level, apps each run in their own “sandbox” and can’t access those of other apps. So you can’t install a face-swapping app which also secretly reads your emails, because the two apps each exist in their own worlds and can’t “see” one another. No communication is possible between the worlds except by invitation.
Permissions are a key feature in combating malware too. The only way an app can get access to the camera, say, is by asking Android or iOS to grant it permission. And Android and iOS only do so after they have sought the permission of the user. That means if you say “no” to the popup asking if you want to allow an app to take a photo, there’s nothing at all the app can do to access your phone’s camera. It’s literally impossible.
Of course, from time to time, some bad actors get posted on the app stores. For example a list of iOS apps were shown to contain trojan code in 2019. But even these bad ones have to fit into the system. An app isn’t going to be able to spy on your list of contacts or monitor your location unless you really do give it permission to do so. So they rely on users pressing the relevant permission button without really thinking about it.
This is why we urge all users to think carefully about whether a permission being requested seems reasonable, before accepting it. But even so there aren’t many apps like this because app store review policies do a fairly effective job at keeping them out, particularly in Google Play and the iOS App Store. Though its algorithms are kept secret, Google Play even appears to have some really smart technology to automatically discover clandestine functionality of apps.
That means it can (and does!) read your email, open your camera or check your location without you ever having given it permission to do so. It has full access to your whole phone, just like malware did in the days of Windows XP.
It’s sold to shady governments around the world who right now use it to spy on people such as activists, journalists and politicians.
Each time Pegasus is discovered and analysed (and it’s very good at hiding its tracks), new versions of Android and iOS are published to patch the flaws which allowed it access in the first place. But it keeps returning.
So what can you do to prevent yourself from falling victim to this kind of attack? Firstly, make sure you keep your OS updated. For Android that means also keeping your apps up-to-date, because some OS components are distributed that way. But other than that, there’s almost nothing you can do.
To conclude, your mobile OS – whichever flavour you choose – does a great job of being secure by design. But Pegasus demonstrates, unfortunately, that if a government wants to spy on you, there’s probably nothing that can effectively stop it. As ever the onus is with the end user to do everything you can to protect yourself. Keep your OS up to date. Keep your apps up to date. Check what permissions you agree to and always think long and hard about how trustworthy an app is likely to be.