Pegasus for Android

More documents

Recommendations

Info

Persistence, Evasion, and Suicide Functionality Suicide Functionality As seen in the iOS version of Pegasus, the Android counterpart also includes suicide functionality to remove itself under a variety of different circumstances. Our analysis identified the following four cases where this functionality would be triggered: 1. The MCC subscribe ID does not exist or is invalid 2. An antidote file exists at /sdcard/MemosNoteNotes 3. Pegasus for Android has not checked in with the servers for more than 60 days 4. Pegasus for Android receives a remote command to remove itself MCC Subscriber ID Suicide It appears that Pegasus for Android will kill itself if it is unable to detect the MCC subscriber ID or finds it to be invalid. This is likely to prevent it from being run on test devices and emulator environments which may not be connected to a cellular network. The analyzed sample appeared to contain (what is presumably) test code that allows it to run regardless of whether it detects the device is connected to a cellular network or not. Existence of Antidote File If a file is present at /sdcard/MemosForNotes then Pegasus for Android will clean up and remove itself from the device. 25
Maximum Check In Time Exceeded Suicide functionality is also triggered if no contact has been made with the command and control servers for 60 days. Device Updates Disabled for Persistence Analysis showed that if Pegasus for Android was running on a Samsung device and was able to gain superuser access it would remove the system updater com.sec.android.fotaclient. This would prevent future device updates from occurring and allow its various components to persist on the /system partition of a compromised device. Pegasus for Android also disables automatic updates by setting Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0. 26
Page 1 and 2: Pegasus for Android Technical Analy
Page 3 and 4: Executive Summary For the past seve
Page 5 and 6: With an identified set of indicator
Page 7 and 8: Messaging Protocol MQTT Yes Yes Aud
Page 9 and 10: Certificate fingerprints: MD5: 02:3
Page 11 and 12: Communication Methods Similar to th
Page 13 and 14: The data collection file format wil
Page 15 and 16: ● ● ● ● VIber messages Skyp
Page 17 and 18: Outbound SMS The application will s
Page 19 and 20: including an MQTT username, passwor
Page 21 and 22: all_files_plus_perms_bitmask = File
Page 23 and 24: On devices where the screencap
Page 25: The component of libk that is
Page 29 and 30: If the hashes do match, the remaini
Page 31 and 32: Conclusion In the analysis of Pegas
Page 33 and 34: Appendix Sample Digests Pegasus for
Page 35 and 36: failureCount grace packageVersion v
Page 37: mqttIdPref mqttQos mqttKaTimer mqtt

Pegasus for Android

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?