Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. [1] [2] The Android version is tracked separately under Pegasus for Android.

ID: S0289
Type: MALWARE
Platforms: iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 24 October 2022

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

Pegasus for iOS has the ability to record audio.[1]

Mobile T1645 Compromise Client Software Binary

Pegasus for iOS modifies the system partition to maintain persistence.[1]

Mobile T1456 Drive-By Compromise

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[1]

Mobile T1658 Exploitation for Client Execution

Pegasus for iOS can compromise iPhones running iOS 16.6 without any user interaction.

Mobile T1404 Exploitation for Privilege Escalation

Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.[1]

Mobile T1430 Location Tracking

Pegasus for iOS update and sends the location of the phone.[1]

Mobile T1644 Out of Band Data

Pegasus for iOS uses SMS for command and control.[1]

Mobile T1636 .002 Protected User Data: Call Log

Pegasus for iOS captures call logs.[1]

.003 Protected User Data: Contact List

Pegasus for iOS gathers contacts from the system by dumping the victim's address book.[1]

.004 Protected User Data: SMS Messages

Pegasus for iOS captures SMS messages that the victim sends or receives.[1]

Mobile T1409 Stored Application Data

Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.[1]

Mobile T1426 System Information Discovery

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[1]

Mobile T1421 System Network Connections Discovery

Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.[1]

References