Access Sensitive Data or Credentials in Files
An adversary could attempt to read files that contain sensitive data or credentials (e.g., private keys, passwords, access tokens). This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).
|Application Vetting||Ensure that applications do not store sensitive data or credentials insecurely (e.g., with insecure file permissions or in an insecure location such as external data storage).|
|Use Device Provided Credential Storage||Android and iOS provide hardware-backed capabilities to store credentials in an isolated location where they are less likely to be compromised even in the case of a successful privilege escalation attack against the operating system.|
|Use Recent OS Version||Android 7 provides stronger default file permissions over application internal data storage directories, decreasing the likelihood that insecure file permissions can be exploited.|
|Pegasus for Android|
Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.
|Pegasus for iOS|
- Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.
- Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.
- Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.
- Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.
- Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.
- Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.
- Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.
- Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.