Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. [1] [2] The Android version is tracked separately under Pegasus for Android.

ID: S0289
Platforms: iOS

Version: 1.1

Techniques Used

MobileT1433Access Call LogPegasus for iOS captures call logs.[1]
MobileT1432Access Contact ListPegasus for iOS gathers contacts from the system by dumping the victim's address book.[1]
MobileT1409Access Sensitive Data or Credentials in FilesPegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.[1]
MobileT1438Alternate Network MediumsPegasus for iOS uses SMS for command and control.[1]
MobileT1412Capture SMS MessagesPegasus for iOS captures SMS messages that the victim sends or receives.[1]
MobileT1456Drive-by CompromisePegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[1]
MobileT1404Exploit OS VulnerabilityPegasus for iOS exploits iOS vulnerabilities to escalate privileges.[1]
MobileT1477Exploit via Radio InterfacesPegasus for iOS was delivered via an SMS message containing a link to a web site with malicious code.[2]
MobileT1430Location TrackingPegasus for iOS update and sends the location of the phone.[1]
MobileT1429Microphone or Camera RecordingsPegasus for iOS has the ability to record audio.[1]
MobileT1400Modify System PartitionPegasus for iOS modifies the system partition to maintain persistence.[1]
MobileT1426System Information DiscoveryPegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[1]
MobileT1422System Network Configuration DiscoveryPegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.[1]