There is no self propagation code built into Pegasus.
It would be relatively trivial to write such - simply have it send the exploit via iMessage to all of a targets contacts, rinse and repeat.
This would be counterproductive though - the whole selling point of Pegasus is targeted surveillance, and such exploits are very costly - uncontrolled spreading would make it detected much faster, burning a valuable resource.
If such exploits were cheap, it’s plausible you could justify writing a variant that automatically attacks a targets entire address book to mine their social graph, but then you have the problem of analysing a shitload of probably worthless data…
If some hacker gets a clearly infectious Pegasus link they should make it spread through messages to everyone. Bricking everyone’s iPhone will probably make all the governments and Apple sit up and do some real damage to these actors.
Many of the Pegasus attacks are zero-click, so no link is needed. All they need to do is send you a message and you are compromised.
They presumably also configure their command and control to only persist if it is one of the designated targets and wipe all traces if it is not, so even forwarding the attack payload would probably not do anything. You would need to determine you have been compromised and then reverse engineer the exploit so you could replace the command payload with a irreversible bricking operation to do what you suggest.
At that point you might as well spend the $5M-$10M to develop the entire attack yourself. If you are a competitor to Apple spending $10M to completely destroy the $2.7T Apple is literal pocket change; too small to even show up on your financials.
> If you are a competitor to Apple spending $10M to completely destroy the $2.7T Apple is literal pocket change; too small to even show up on your financials.
You're comparing two near completely unrelated numbers here. That's not what enterprise value means; it doesn't mean much of anything really.
It works the usual way -- you make a payload that, when processed by a buggy code, executes itself. If the buggy code happens to be SMS packet parser, image decoder, text rendering, blocklist check or another 2 millions of things that happen to show you incoming SMS (or even better, flash message, or something not visible to user), then you don't have to click on it.
I mean if the bug in the browser, you have to visit the page to have the payload get to you, but it's a phone. A device for other people to contact you.
> make all the governments and Apple sit up and do some real damage to these actors.
International weapons dealing doesn't work that way. Point to any manufacturer of weapons and there's a bunch of people that don't like them. But the countries that benefit from those weapons don't agree.
It would be relatively trivial to write such - simply have it send the exploit via iMessage to all of a targets contacts, rinse and repeat.
This would be counterproductive though - the whole selling point of Pegasus is targeted surveillance, and such exploits are very costly - uncontrolled spreading would make it detected much faster, burning a valuable resource.
If such exploits were cheap, it’s plausible you could justify writing a variant that automatically attacks a targets entire address book to mine their social graph, but then you have the problem of analysing a shitload of probably worthless data…