Register to stream ATT&CKcon 2.0 October 29-30

Pegasus for Android

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

ID: S0316
Associated Software: Chrysaor
Type: MALWARE
Platforms: Android
Version: 1.1

Associated Software Descriptions

Name Description
Chrysaor [1] [2]

Techniques Used

Domain ID Name Use
Mobile T1435 Access Calendar Entries Pegasus for Android accesses calendar entries. [1]
Mobile T1433 Access Call Log Pegasus for Android accesses call logs. [1]
Mobile T1432 Access Contact List Pegasus for Android accesses contact list information. [1]
Mobile T1409 Access Sensitive Data or Credentials in Files Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings. [1]
Mobile T1438 Alternate Network Mediums Pegasus for Android uses SMS for command and control. [1]
Mobile T1402 App Auto-Start at Device Boot Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time. [1]
Mobile T1418 Application Discovery Pegasus for Android accesses the list of installed applications. [1]
Mobile T1475 Deliver Malicious App via Authorized App Store Pegasus for Android attempts to detect whether it is running in an emulator rather than a real device. [1]
Mobile T1404 Exploit OS Vulnerability Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges. [1]
Mobile T1429 Microphone or Camera Recordings Pegasus for Android has the ability to record audio and take pictures using the device camera. [1]
Mobile T1400 Modify System Partition Pegasus for Android attempts to modify the device's system partition. [1]
Mobile T1422 System Network Configuration Discovery Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming. [1]

References