Pegasus for Android
eatsvTG
eatsvTG
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
including an MQTT username, password, and identifying token. The provided token is used to<br />
subscribe to a particular MQTT topic so that the operator can issue device specific commands<br />
that are then executed by that client.<br />
The processing of these remotely issued commands is handled in the same fashion as<br />
instructions received via HTTP and SMS, previously detailed in this report. Each command<br />
includes a signature that is used to verify the authenticity of the command and ensure it is not<br />
only created by the attackers, but that it is intended <strong>for</strong> the device that is currently processing it.<br />
A separate thread is then responsible <strong>for</strong> handling the execution of these instructions.<br />
Given that certain device criteria need to be met be<strong>for</strong>e certain commands are executed, it is<br />
possible that received commands are not immediately executed. To handle this, <strong>Pegasus</strong> <strong>for</strong><br />
<strong>Android</strong> has a linked hash set that is used to store pending instructions. At most, 60 pending<br />
instructions can be stored. When full, the receipt of further instructions results in the deletion of<br />
the next instruction to be deleted and the addition of the most recently received one.<br />
Phone Calls<br />
The application has special handling <strong>for</strong> calls associated with the numbers *762646466 and<br />
*7626464633. These phone numbers, respectively, toggle on and off the romingSetted<br />
configuration option which controls whether normal C2 communication is used when the device<br />
is roaming. This feature is likely implemented because when a device is roaming and<br />
romingSetted is disabled, the application will not accept commands from the normal HTTP,<br />
SMS, or MQTT communications channels.<br />
18