Pegasus Spyware A N A N A L Y S I S D A I A N E S A N T O S

disclaimer

Malware Malware is a term used for any type of malicious software designed to harm or exploit any programmable device, service or network.

malwares Zero click Malware one click malware A zero-click breach exploits flaws in your device, using a data verification loophole to create a path of entry into your system. Most software uses data verification processes to keep cyber breaches at bay. Are vulnerabilities that allows an attacker to induce users to perform actions that they do not intend to perform. It allows an attacker to partly circumvent the same origin policy, which is designed to prevent different websites from interfering with each other.

malwares

malwares

What is Pegasus Spyware? NSO is a company related to the Israeli government. The primary purpose of this software was to spy upon anti- Israelian activists, war criminals, and persons suspected of spying for other countries. Pegasus is a spying software, developed by NSO Group around 2011.

Pegasus spyware allows an attacker to control a victim’s smartphone. It is difficult and often impossible for antivirus solutions to detect Pegasus spyware once it exploits zero-day vulnerabilities.

Monitoring phone calls, text messages, emails and messages from communication apps such as WhatsApp, Facebook Messenger, Telegram, among others. Access to cameras and microphones to record real-time audio and video. Real-time GPS location tracking. Access to device files and logs. Monitoring activities on social networks. Capturing passwords and login information. Enabling device encryption features to bypass security measures. Main features and functioning of Pegasus:

how does Pegasus Spyware works?

No content

camouflage Pegasus malware is known for its advanced ability to camouflage itself, making it difficult for security solutions and antivirus programs to detect it. Including: Encryption: Pegasus uses advanced encryption techniques to obfuscate its code and make it unreadable by most detection tools. Polymorphism: Pegasus is able to change its appearance (shape) on a regular basis. This means that whenever malware is updated or distributed to a new device, it can have different characteristics, such as unique code strings or signatures, making it difficult for security solutions to recognize Pegasus through static patterns.

camouflage Signature Manipulation: Pegasus modifies its digital signatures and attributes to appear similar to legitimate applications or other operating system components. This makes the malware pass itself off as trustworthy software, decreasing its chances of being identified as a threat. Environment detection: Pegasus can detect whether it is running in an analysis environment, such as a test virtual machine or sandbox environment, used to examine suspicious software activity. When it detects these environments, malware can behave differently or remain dormant to avoid discovery. Behavior analysis: Rather than performing malicious operations immediately after infection, Pegasus can wait for certain user behavior or other specific conditions before taking action. This technique delays the moment when malware reveals its true intentions, making detection more difficult.

camouflage Encrypted Connections: Pegasus uses encrypted communications to connect to command and control servers, ensuring that data traffic is not easily traceable or interpreted by security mechanisms. Valid Digital Signatures: Pegasus can use valid digital certificates, which are usually associated with legitimate developers, to digitally sign its components. This helps malware avoid being blocked by signature checks performed by operating systems and security programs. Self-Destruction: The malware self-destructs if it fails to communicate with the command and control (C&C) server for more than 60 days, or if it detects it has been installed on a device with the wrong SiM card (remember this is a targeted threat).

Citizen lab & lookout The discovery took place in 2016, when a UAE human rights activist, Ahmed Mansoor, received a text message with a suspicious link on his iPhone. Rather than clicking the link, Mansoor forwarded the message to Citizen Lab researchers, who had previously worked on similar malware cases.

Citizen lab & lookout The researchers identified that the link was an exploit of a zero-day vulnerability in iOS and that the malware associated with that exploit was an earlier version of Pegasus, where the vulnerability allowed Pegasus to be installed on Mansoor's iPhone without the need for any additional user interaction. (zero click malware) The investigation revealed that Pegasus was a highly sophisticated malware capable of performing a complete and invasive surveillance on infected devices, having the ability to access the user's camera, microphone, messages, calls and other personal data, becoming a serious threat to privacy and human rights.

numbers

Nowadays Currently, there is not much information about Pegasus and recent activities, the last information about a case related to him occurred in Feb 2022, it is not possible to have activity tracking in such a simple way. Citizen Lab is still dedicated to finding information about malware and others that may interfere with this privacy issue. Recently, in April, they shared research on a new spyware: QuaDream.

thank you @ M O B I L E H A C K I N G B R @ W H 0 I S D X K D A I A N E S A N T O S [ A T ] P R O T O N M A I L [ D O T ] C O M