It all began with the reports of a total of 17 Indian lawyers, activists and scholars whose phones were being tapped for any piece of evidence. The application that was implanted in the targets’ phone did not come masked within an application, nor was it downloaded through a redirected link. A common pattern that raises suspicion is that each of these 17 victims received WhatsApp calls from international numbers.
While most of the victims were wary enough to not pick those calls, the damage had been done already. The malware was planted with just a missed call. Back in 2016, when this suspicious program was first identified as ‘Pegasus’, it was named the most sophisticated spyware tool in the history of cyberespionage.
There is virtually no escape to Pegasus unless you have uninstalled WhatsApp before the alleged attack. Cleaning or rebooting will not help (nor will factory resetting the phone) because the malware dwells in the permanent memory of your phone – something you cannot wipe (much like the IMEI number).
Indian Government Bans 42 Apps from Play Store
The first application that was banned from use in India was UC Browser, which was known for its blazing-fast downloads of webpages. What followed then was a spree of guidelines and ban of 40 plus applications. The newly formed BJP government released a list of applications which it deemed as unsafe following Intelligence agency’s reports that people of the subcontinent are under neighbour’s (primarily Chinese) reconnaissance.
Data from December 2019 indicate that UC Browser, a product of UCWeb which is owned by the Alibaba Group is still the second most-widely used browser in India.
Popular Browsers and their Market-share in India
In August 2019, UCWeb released another update following which the ban was lifted from it. A week later UCB was live on Google Play and the un-died craze continue to flourish. Within a month, the userbase burgeoned to its zenith, and soared lifetime high a month later.
To better understand the nuances between the pre and post release versions, and to see if there is any tangible change in the performance, Go4hosting downloaded an earlier version of the browser and compared it with a more recent version to see how things stack against each other.
The results were not very surprising.
Pre-Ban UC Permissions
We searched through the internet hoping to find any third-party application-store to download an outdated release of UCB (UC Browser), preferably pre-August 19. The search led us to an online blackmarket for apps, containing all the spooky applications that have now been discontinued from Play Store.
Shown Above - An interesting thing we noticed was the exact same application showed different sizes on Google Play and the black market. Perhaps Google had a different way to compress raw apk data, or the black market was floating apks with mutilated codes. While the former is more reasonable, the second explanation cannot be outright denied.
We scrolled through the various release of UC, selected the one that was banned, allowed apk the permission to parse and installed it on a test-smartphone.
The permissions that UC sought from us were a bit overstated and was by no means convincing enough for a browser. As we scrolled down we saw it asked to access our call information, which had us on full-alert now.
In-App Permissions Required
With the call access granted, UC browser now had access to our call logs. It could make/record calls on its own, and also had rights needed to upload any of our files to its cloud servers in China. Seemingly, Indian intelligence also picked the hint and ordered immediate ban of Chinese apps in India.
India and China together formed almost 70% of UC’s userbase. By 2018, the browser already had more than 130 million MAU (monthly active users) in the subcontinent alone, but the number took a blow to the head with the ban. In a month, the userbase fell to a lifetime low.
Ban Outcomes Change in UC’s Policy
Once the government imposed bans on UC, UCWeb started to revamp its policy and subsequently jettisoned all irrelevant permissions.
The 6th January, 2020 (shown on right) update of UC browser features fewer permissions and works as great as its predecessors. Again, this has raised questions on the ethos of Chinese firms floating extraneous apps for their malign intents. If UCWeb had the capability to build the same application without inessential permission requests, why it did not do so in the first place.
How missed international calls hacked into WhatsApp
The Facebook-owned WhatsApp had only recently integrated remote handshake in its updates when it was hacked, despite WhatsApp being looked upon as a safer messenger after the update. A handshake authorizes direct connection between two devices, without the need for an intermittent connecting server. Though this eliminates mirroring or caching of data to third-party servers, it also renders it open and vulnerable to an attack.
Go4hosting has reasons to believe that this is what Pegasus took advantage of. When the 17 victims received missed calls, the malicious data packets from Pegasus’s systems were transmitted to the victims’ phone, and given WhatsApp already had the permission to read/write to SD card, the program had little problems invading the phone’s memory.
What Damage Can Missed Calls do?
Truecaller, another Chinese application that was amongst those banned, revealed India ranks #5 in global spam call rankings.
The number of international spam calls saw a rise in 2019. An average Indian receives around 26 pesky phone calls every month, the report says.
Though the actual number of call-frauds has seen a dip, the frauds through phone calls have increased drastically.
While some reported numbers that did not reflect on call logs, some reported receiving calls from no number at all i.e. calls that had no caller id.
People in India were already under distress with badgering credit-card calls and now hackers from Pegasus have joined the club, although more covertly. At present there seems no cure to this disease that Israel’s NSO, the company that developed Pegasus, has given birth to.
Because phones are being hacked with missed calls, privacy is at its all-time low. The way Pegasus was discovered alludes to even bigger peril. These applications have possibly existed for a very long time and come embedded with every new smartphone. Or, maybe the people developing applications (like WhatsApp, UC Browser, etc.) intentionally leave loopholes to sell them to organizations like NSO, one may never know.