Pegasus for Android

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

ID: S0316
Associated Software: Chrysaor
Platforms: Android
Version: 1.2
Created: 25 October 2017
Last Modified: 24 October 2022

Associated Software Descriptions

Name Description

[1] [2]

Techniques Used

Domain ID Name Use
Mobile T1429 Audio Capture

Pegasus for Android has the ability to record device audio.[1]

Mobile T1645 Compromise Client Software Binary

Pegasus for Android attempts to modify the device's system partition.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.[1]

Mobile T1404 Exploitation for Privilege Escalation

Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.[1]

Mobile T1644 Out of Band Data

Pegasus for Android uses SMS for command and control.[1]

Mobile T1636 .001 Protected User Data: Calendar Entries

Pegasus for Android accesses calendar entries.[1]

.002 Protected User Data: Call Log

Pegasus for Android accesses call logs.[1]

.003 Protected User Data: Contact List

Pegasus for Android accesses contact list information.[1]

Mobile T1418 Software Discovery

Pegasus for Android accesses the list of installed applications.[1]

Mobile T1409 Stored Application Data

Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.[1]

Mobile T1422 System Network Configuration Discovery

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.[1]

Mobile T1512 Video Capture

Pegasus for Android has the ability to take pictures using the device camera.[1]