Skip to content
This repository has been archived by the owner on Aug 18, 2023. It is now read-only.

Latest commit

 

History

History
39 lines (29 loc) · 3.63 KB

2016_Pegasus.md

File metadata and controls

39 lines (29 loc) · 3.63 KB
Raw

Pegasus

Malware profile by Julian Goeritz and Mika Schollmeyer

Classification

Virus Worm Trojan Ransomware Botnet Spyware
✔️ ✔️

Facts & Figures

  • Year: 2016 [1]
  • Author: Israeli cyber intelligence firm NSO Group Technologies [1]
  • Language: Java/JavaScript [2, 3]
  • Infections: > 1,000 phones spread across ~50 countries [4]
  • Damage: Unknown

Description

NSO, an Israeli tech company, has developed a powerful smartphone virus called Pegasus, described by NSO co-founder Shalev Hulio as the company’s Trojan horse that could be sent “flying through the air” to infiltrate devices. [5]

On August 10 and 11, 2016, [Ahmed] Mansoor received SMS text messages on his iPhone promising “new secrets” about detainees tortured in UAE jails if he clicked on an included link. Instead of clicking, Mansoor sent the messages to Citizen Lab researchers.

[...]

The ensuing investigation, a collaboration between researchers from Citizen Lab and from Lookout Security, determined that the links led to a chain of zero-day exploits (“zero-days”) that would have remotely jailbroken Mansoor’s stock iPhone 6 and installed sophisticated spyware. We are calling this exploit chain Trident. Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements. [5]

After the first version was discovered, it didn’t take long to find the second, and at the Security Analyst Summit 2017, Lookout researchers had a talk on Pegasus for Android, also known as Chrysaor — that’s what Google calls it. The Android version is very similar to its iOS sister in terms of its capabilities, but different in terms of the techniques it uses to penetrate the device. Pegasus for Android does not rely on zero-day vulnerabilities. Instead it uses a well-known rooting method called Framaroot. Another difference: If iOS version fails to jailbreak the device, the whole attack fails, but with the Android version, even if the malware fails to obtain the necessary root access to install surveillance software, it will still try directly asking the user for the permissions it needs to exfiltrate at least some data. [6]

Approximately $ 25,000 are being paid per target. Due to this relatively high price, it is safe to assume that only a few number of people has been infected with Pegasus. Only very specific targets seem to be selected. 7

Footnotes

  1. https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/ 2

  2. https://github.com/jonathandata1/pegasus_spyware

  3. https://asamborski.github.io/cs558_s17_blog/2017/03/30/pegasus.html

  4. https://www.businessinsider.in/tech/news/how-to-find-out-if-your-phone-is-infected-by-the-pegasus-spyware/articleshow/84578193.cms

  5. https://www.theguardian.com/theobserver/commentisfree/2019/may/19/may-i-have-a-word-about-pegasus-spyware 2

  6. https://www.kaspersky.com/blog/pegasus-spyware/14604/

  7. https://de.wikipedia.org/wiki/Pegasus_(Spyware)