Technical Analysis of Pegasus Spyware
26.08.2016 Views
Share Embed Flag

Technical Analysis of Pegasus Spyware

eWE8mND

eWE8mND

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
ale.sp.brazil

You also want an ePaper? Increase the reach of your titles

YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.

START NOW

notification IDs that get posted by various <strong>Pegasus</strong> modules. In the analyzed sample, this included notifications from the<br />

WhatsApp and Viber modules (, libwacalls.dylib and libvbcalls.dylib).<br />

Process Injection: converter<br />

The interception <strong>of</strong> real-time calls from the chat messengers (e.g., WhatsApp, Viber) comes through a library that is injected<br />

into their process space dynamically at run time. The “converter” binary (the mechanism through which this occurs) is a<br />

version <strong>of</strong> the cynject open-source library available here: https://github.com/r-plus/substrate/blob/master/cynject.cpp<br />

The library takes a pid as an argument and injects a dylib into running process using Mach kernel APIs. The usage for converter<br />

is: start (usage: %s [args...])<br />

Converter has the following entitlements:<br />

com.apple.springboard.debugapplications<br />

<br />

get-task-allow<br />

<br />

task_for_pid-allow<br />

<br />

Additionally, converter has a failsafe key combination that it listens for on the keyboard to dynamically unload the injected<br />

libraries.<br />

Skype<br />

<strong>Pegasus</strong> pulls all <strong>of</strong> the data about calls out <strong>of</strong> the Skype database on the device.<br />

TECHNICAL ANALYSIS OF PEGASUS SPYWARE | 24

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!