In countries under authoritarian regimes, your smartphone can easily be used as a surveillance tool to monitor your movements and online activity.
Through covert software known as Pegasus, smartphone surveillance is at an all-time high, and this can be done with the simple click of a button.
The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, detailed how the software has been used all across the world, mostly in countries under authoritarian regimes, as leaders try to clamp down on dissidents and promote censorship.
This is particularly relevant to the Kenyan context, where heightened interest in government affairs by Kenyans and greater promotion of civic education through online activism has prompted a response from the State, as seen in alleged cases of abductions and enforced disappearances.
As per the stories of victims of alleged abductions, confiscation of mobile devices is a given, with the victims recounting experiences of being forced to provide sensitive information such as phone passwords. This then enables the alleged abductors to gain access and potentially embed such software.
According to John Scott-Railton, a Senior Researcher at the global body, the software, developed by an Israeli firm, can do everything you, as the user, can do on your phone.
This involves looking at your encrypted messaging, tracking your locations and movements, and your overall online activity. It can even do some things that not all smartphone users can do, such as accessing information stored on one’s phone cloud. If targeted by the app, you are an open book.
In terms of how the software gets to your phone, this can be done through what is known as “click access.”
Scott-Railton gave an example of how a Saudi university student studying in Canada, who is a massive critic of the Saudi Arabian government, became a victim of Pegasus. The student had ordered a package online and later received a legitimate message with a link on how he could track his delivery.
However, what the student did not know was that Pegasus had been embedded in the link, and just by clicking, his phone was tapped, putting him under constant surveillance.
Despite its high costs, countries have been able to purchase the software due to the perceived huge political gains it brings to leaders and their clamour to hold onto power.
Recently, a new way of embedding the software into one’s smartphone has emerged. This is through “zero-click attacks,” which are more sophisticated.
Contrary to click attacks, where a user normally does an action on their phone that is then used to introduce Pegasus, in zero-click attacks, the action is not prompted by the user, meaning one has no control.
In these advanced cyberattacks, attackers are able to get unauthorised access through zero user interaction. The attacks are particularly dangerous because they can occur silently, often without the victim’s knowledge, and are typically used to deliver malware, spyware, or other malicious payloads.
Despite efforts to clamp down on Pegasus, a new hacking software, Paragon, has emerged. The software, still with Israeli roots, hacks WhatsApp and Signal, using the same sophisticated zero-click method to hack into phones.
In Paragon, an attacker adds the victim, without their knowledge, to a WhatsApp group in a very specific way. The attacker then sends a PDF to the group, which is automatically opened by the victim’s phone.
This leads to the victim’s device being infected, and it quickly spreads to other apps on the device. All this time, the victim sees nothing, highlighting the vulnerability it puts one under.
To avert this, one can regularly update their phone’s software, use security tools to detect potential breaches, and monitor one’s device for any suspicious activity such as battery drain or unexpected data usage.
Even while such cases have not been fully confirmed in Kenya, the likelihood of such software being in use is high, with smartphone users urged to be alert and remain aware of any dangers posed by the software.
