Pegasus for Android

More documents

Recommendations

Info

XML response parsing is performed within the application by overriding the startElement(), endElement(), and characters() methods of the org.xml.sax.helpers.DefaultHandler class from the SAX2 library and tracking the start/end of various elements. This parsing method allows the client to accept more than one possible response structure so it’s not possible to determine with certainty how the server side portion of the application structures all of its commands. It is only possible to determine which commands the application will respond to. Below is a listing of commands relevant to the application’s core functionality: Command dump Purpose Requests the client send back a configurable list of data which may include: ● ● ● ● ● ● ● ● ● SMS messages Phone call logs Contacts stored on the SIM card and device WhatsApp messages Facebook messages Twitter messages Browser history List of installed and running applications on the device Kako messages 13
● ● ● ● VIber messages Skype chat logs Calendar entries Email stored on the device upgrade camCmd emailAttCmd Requests the application to download and install an upgrade package from a specified URL. Requests the application take a screenshot or photo with the front or rear facing camera on the device. Causes the application to retrieve a particular email attachment. Additional commands are available to set most of the configurable options within the application. Each command includes an ack ID which the client will transmit back to the C2 server to acknowledge receipt of the command. SMS/MMS/WAP Inbound SMS Similar to the methodology used by Pegasus for iOS, the Android package can receive commands contained in SMS message bodies which appear to be disguised as Google authentication codes. The command parser used by the Android version of the application appears compatible with messages that have been observed being sent to iOS devices. The application registers a content observer for the Android SMS content provider which performs a case insensitive search of the SMS message bodies for the string “your google verification code” on incoming SMS messages. SMS commands can include a command number, an ack ID, command arguments, and a signature. The basic command structure is: text:[Six Digits][Command Number]a=[Ack ID]&[Command Arguments]&s=[Message Signature] The message signature is an MD5 hash of the token configured on initial application launch and the contents command message. The signature included in the message is checked against a signature generated on the device. This ensures that the application will only respond to commands which are issued from a sender who knows the device’s token. 14
Page 1 and 2: Pegasus for Android Technical Analy
Page 3 and 4: Executive Summary For the past seve
Page 5 and 6: With an identified set of indicator
Page 7 and 8: Messaging Protocol MQTT Yes Yes Aud
Page 9 and 10: Certificate fingerprints: MD5: 02:3
Page 11 and 12: Communication Methods Similar to th
Page 13: The data collection file format wil
Page 17 and 18: Outbound SMS The application will s
Page 19 and 20: including an MQTT username, passwor
Page 21 and 22: all_files_plus_perms_bitmask = File
Page 23 and 24: On devices where the screencap
Page 25 and 26: The component of libk that is
Page 27 and 28: Maximum Check In Time Exceeded Suic
Page 29 and 30: If the hashes do match, the remaini
Page 31 and 32: Conclusion In the analysis of Pegas
Page 33 and 34: Appendix Sample Digests Pegasus for
Page 35 and 36: failureCount grace packageVersion v
Page 37: mqttIdPref mqttQos mqttKaTimer mqtt

Pegasus for Android

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?