Pegasus for Android

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

ID: S0316
Associated Software: Chrysaor

Platforms: Android

Version: 1.1

Associated Software Descriptions

Chrysaor[1] [2]

Techniques Used

MobileT1435Access Calendar EntriesPegasus for Android accesses calendar entries.[1]
MobileT1433Access Call LogPegasus for Android accesses call logs.[1]
MobileT1432Access Contact ListPegasus for Android accesses contact list information.[1]
MobileT1409Access Sensitive Data or Credentials in FilesPegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.[1]
MobileT1438Alternate Network MediumsPegasus for Android uses SMS for command and control.[1]
MobileT1402App Auto-Start at Device BootPegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.[1]
MobileT1418Application DiscoveryPegasus for Android accesses the list of installed applications.[1]
MobileT1475Deliver Malicious App via Authorized App StorePegasus for Android attempts to detect whether it is running in an emulator rather than a real device.[1]
MobileT1404Exploit OS VulnerabilityPegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.[1]
MobileT1429Microphone or Camera RecordingsPegasus for Android has the ability to record audio and take pictures using the device camera.[1]
MobileT1400Modify System PartitionPegasus for Android attempts to modify the device's system partition.[1]
MobileT1422System Network Configuration DiscoveryPegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[1]