Pegasus for Android

More documents

Recommendations

Info

CONTENTS CONTENTS 1 Executive Summary 2 Background 3 Threat Hunting and Joint Investigation 4 Pegasus for Android Overview 6 Android vs. iOS Pegasus Sample Comparison 6 Table 1: Comparison of Pegasus for iOS vs. Pegasus for Android 6 Feature comparison of Android vs. iOS Pegasus 7 Pegasus for Android Detailed Analysis 8 Sample 1 - Package Information 8 Sample 2 - Package Information 8 Initial Launch and Configuration 9 Communication Methods 11 HTTP Communication 11 Request Format 11 Response Format 13 SMS/MMS/WAP 15 Inbound SMS 15 Outbound SMS 17 WAP Push Messages 18 Message Queue Telemetry Transport (MQTT) 18 Phone Calls 19 Data Gathering and Surveillance Functionality 20 Targeted Applications 20 Live Audio Surveillance 22 Screenshot and Camera Capability 22 Keylogging 24 Persistence, Evasion, and Suicide Functionality 26 Suicide Functionality 26 MCC Subscriber ID Suicide 26 Existence of Antidote File 26 Maximum Check In Time Exceeded 27 Device Updates Disabled for Persistence 27 Native Components 28 Upgrade Process 28 Second Pegasus Sample 29 Conclusion 31 Acknowledgements 32 Appendix 33 1
Executive Summary For the past several months, the Lookout Security Intelligence team has been closely tracking the features and tradecraft of targeted nation-state level malware attacks against mobile users. In the initial investigation into the software developed by lawful intercept vendor NSO Group, we examined the common features and methodologies that are frequently used to perform espionage using the mobile platform. Building on our initial technical analysis of NSO’s Pegasus software after the August 2016 discovery of Pegasus, the security intelligence teams at Google and Lookout collaborated to discover and track Pegasus as it exists on the Android platform (aka Chrysaor) in order to roll out protection for Android users. This investigation originated with the Lookout August report and led to all Android, users being protected against this threat. On the Android platform, the Pegasus software has many of the same features that we described in the original Lookout report. The samples that Google acquired, and we analyzed for this report, existed as an Android application (APK) that compromised the device to install its malicious payload. These samples are dated, but given the recent Pegasus activity on devices observed by both Google and Lookout, the analysis represents important new insight into this spyware. Pegasus for Android has similar capabilities to its iOS counterpart including: ● Exfiltrate targeted data from common apps including: ○ WhatsApp ○ Skype ○ Facebook ○ Viber ○ Kakao ○ Twitter ○ Gmail ○ Android’s Native Browser and Chrome ○ Android’s Native Email ● Remote control of the device using SMS ● Surveillance of: ○ Audio via the microphone ○ Imagery via the camera (front and rear) ● Keylogging ● Screenshot capture ● Disabling of system updates Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups. These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world. As nation states continue to expand their mobile capabilities, it is important to provide detailed analysis of the capabilities that threat actors are deploying on the mobile 2
Page 1: Pegasus for Android Technical Analy
Page 5 and 6: With an identified set of indicator
Page 7 and 8: Messaging Protocol MQTT Yes Yes Aud
Page 9 and 10: Certificate fingerprints: MD5: 02:3
Page 11 and 12: Communication Methods Similar to th
Page 13 and 14: The data collection file format wil
Page 15 and 16: ● ● ● ● VIber messages Skyp
Page 17 and 18: Outbound SMS The application will s
Page 19 and 20: including an MQTT username, passwor
Page 21 and 22: all_files_plus_perms_bitmask = File
Page 23 and 24: On devices where the screencap
Page 25 and 26: The component of libk that is
Page 27 and 28: Maximum Check In Time Exceeded Suic
Page 29 and 30: If the hashes do match, the remaini
Page 31 and 32: Conclusion In the analysis of Pegas
Page 33 and 34: Appendix Sample Digests Pegasus for
Page 35 and 36: failureCount grace packageVersion v
Page 37: mqttIdPref mqttQos mqttKaTimer mqtt

Pegasus for Android

Create successful ePaper yourself

Delete template?

Save as template?