Pegasus is a smartphone spyware developed by the Israeli surveillance firm NSO Group; it is believed to be one of the most dangerous spyware that has been developed so far. It was found attacking iPhone devices in August 2016. Pegasus uses three iOS system’s zero-day vulnerabilities, which at that time were not identified.

Now, Google and Lookout cyber security firm have discovered the presence of an Android version of Pegasus spyware that is aimed at exploiting the company’s devices running on Android system. Google initially got the hint of the android version of Pegasus in late 2016, and at that time only a handful of android devices out of the overall 1.4 billion devices were infected with Pegasus.

How the malware works

Just like the version for iPhones, the android version of Pegasus contains highly sophisticated and advanced features, as it can be controlled through SMS and has self-destructing abilities too. It can grab higher amounts of comms data, WhatsApp’s calls and messages records and valuable data from Gmail, Facebook, Skype, and Twitter, etc. Furthermore, it can control device’s camera and microphone and conducts keylogging and can capture screenshots as well. Google maintains that despite its advanced nature, android Pegasus never made its way to the official Google Play Store.

Screenshot of text messages from 2016 sent to a human rights activist in UAE – The links lead the victim to Pegasus malware.

A full of Pegasus’ capabilities are:

Keylogging
Screenshot capture
Live audio capture
Remote control of the malware via SMS
Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
Browser history exfiltration
Email exfiltration from Android’s Native Email client
Contacts and text message

Through its self-destructing capabilities, the malware remained undetected for about three years. According to Michael Flossman (Pdf), a mobile security researcher at Lookout, the malware removes itself as soon as it feels it is going to be discovered and this is why it took such a long time to find its samples. Both Google and Lookout stated that the samples, although are from 2014, have solid evidence that this spyware was working on Android phones.

The iPhone oriented version of Pegasus deleted itself after detecting a jailbreak, but the Android version deletes itself if it fails to connect to its command and control (C&C) server for a specific time period, or if it feels that it will be detected.

Flossman is of the opinion that Android-based Pegasus was distributed in the same manner as the iPhone version was spread, that is, through an SMS message.

“The various exploits contained in this surveillance-ware would attempt to be run once the app was installed. These exploits were patched on the target device, Pegasus would still be able to function but with a reduced set of capabilities,” explained Flossman.

Currently, investigators are not sure whether the developers of android Pegasus used any zero-day vulnerabilities for exploiting devices. It is, however, claimed that Framaroot technique is used to root the device. This technique uses exploits that have been named after the characters in Lord of the Rings and it allows an attacker to obtain total control of the operating system.

According to the analysis of Google’s researchers, a majority of the targets are located in Israel but there are reports that users in Georgia, UAE, Turkey and Mexico were also targeted.

Google suggests that users must be cautious while installing apps and should only install through authentic sources. Furthermore, they need to keep their devices’ software updated, to enable lock screen and keep the anti-malware software app turned on all the time.


DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.

Jahanzaib Hassan