Modify System Partition
If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.
Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.
|System Partition Integrity|
|Pegasus for Android|
|Pegasus for iOS|
Android devices with the Verified Boot capability  perform cryptographic checks of the integrity of the system partition.
The Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.
Samsung KNOX also provides a remote attestation capability on supported Samsung Android devices.
iOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.
- Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.
- Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
- Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
- Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.