You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
notification IDs that get posted by various <strong>Pegasus</strong> modules. In the analyzed sample, this included notifications from the<br />
WhatsApp and Viber modules (, libwacalls.dylib and libvbcalls.dylib).<br />
Process Injection: converter<br />
The interception <strong>of</strong> real-time calls from the chat messengers (e.g., WhatsApp, Viber) comes through a library that is injected<br />
into their process space dynamically at run time. The “converter” binary (the mechanism through which this occurs) is a<br />
version <strong>of</strong> the cynject open-source library available here: https://github.com/r-plus/substrate/blob/master/cynject.cpp<br />
The library takes a pid as an argument and injects a dylib into running process using Mach kernel APIs. The usage for converter<br />
is: start (usage: %s [args...])<br />
Converter has the following entitlements:<br />
com.apple.springboard.debugapplications<br />
<br />
get-task-allow<br />
<br />
task_for_pid-allow<br />
<br />
Additionally, converter has a failsafe key combination that it listens for on the keyboard to dynamically unload the injected<br />
libraries.<br />
Skype<br />
<strong>Pegasus</strong> pulls all <strong>of</strong> the data about calls out <strong>of</strong> the Skype database on the device.<br />
TECHNICAL ANALYSIS OF PEGASUS SPYWARE | 24