Pegasus Malware Evolves With An Android Version

Pegasus Malware Non-related image

Security experts from Google and Lookout uncovered a new dangerous Pegasus Malware evolved strain which is made for the Android operating system.

The Pegasus Malware Now Has an Android Version

The Trident series of vulnerabilities that plagued Apple users last year have are not the last appearance of the dangerous Pegasus malware. This is an extensive spyware module which can be customized to infect various parts of the compromised machines. We reported about it in a post last year. The newest evolution of Pegasus has been spotted by the security staff from Lookout and Google. At the moment it is not known who is behind the new strain. It is suspected that a large hacker collective is responsible for the Android version of Pegasus.

Pegasus comes in several different versions. Each of them is identified with different file hashes, sign names, content and package names. All of the analyzed samples are made up of a Java and a native code component:

  1. Java Layer – It is responsible for controlling, installing and operating the surveillance functions of the malware.

  2. Native Code – Responsible for the exploit processes, root privileges escalation and process hooks.

This versions mimics a large part of the features that are available in the prior iOS iteration. It is distributed as an Android application file (APK) through various means including the following:

  • Email Spam Messages – Hackers can opt to use email campaigns that distribute the APK file either as an attachment or hyperlinked.

  • Hosted On Third-Party Repositories – This is the most popular type of infection method. The criminals post the file on different third-party repositories which usually contain pirate content.

  • Social Engineering – Various malicious links can be sent to users via IM apps and social networks to attempt and trick Android users into infecting themselves with the virus.

An In-Depth Technical Overview

The malware has been categorized as extremely dangerous It includes an advanced stealth protection module which is able to subvert and bypass running security solutions and countermeasures offered by the operating system. Upon infection the virus is able to monitor the host device using a combination of modules. It can extract information about the phone, contacts, content from the most popular messaging apps (WhatsApp, Viber and Facebook), emails, photos from the camera and the contacts list. In addition a keylogger can be activated which records and transmits the keystrokes made by the victim user. Some of the key characteristics of the engine are the following:

  • A notable difference between the new versions and the older generation lies in the infection process. When the virus is introduced to the system the client application remains dormant until the device is rebooted. When the operating system starts once again it obtains an initial set of configuration options. If this is not done the Pegasus malware removes itself from the device. The set of variables is obtained by parsing a query string from a URL using the browser history or by reading data from a local file on the affected device. This procedure allows the virus module to access the browser history via Android’s browser and bookmarks content provider. The string “rU8IPXbn” is the magic string. The following parameters have been identified:
    t – Signals the token used to generate the command signatures and identify the host client.
    c – Base64 encoded command and signature.
    d – Sets the userNetwork variable which uses a mobile country code.
    b – Sets the installation configuration option.
    r – Sets the window Yuliyus configuration option.
    After the configuration is loaded the malware attempts to remove traces of its presence by deleting the URL from the browser history. The initial configuration variables can also be obtained by reading the content of two files (/data/myappinfo and /system/ttg).

  • The Android equivalent is able to communicate with the remote C&C servers using a wide range of mechanisms and protocols. This includes the following:

    HTTP Communication – The host applications sends out a beacon to a web server at a predefined time interval. The IP address and exact IP port is specified through one of the following methods – A command included in the initial configuration, SMS command or a command sent in an HTTP response from an existing C&C connection. The request format is made up of two headers which contain the session keys for the request and response messages:

    1. SessionId1 – This is the token which is stored on the client side. It is used by the server to generate the encrypted responses and identify the client device.

    2. SessionId2 – This is the AES key which is used to encrypt the files uploaded in the response body.

    The following commands are available:

    Dump – This command is used to request a configurable list of data to be sent to the servers from the host. This may include any of the following: SMS messages, phone call logs, stored contacts (both on the SIM card and the device), WhatsApp messages, Facebook messages, Twitter messages, Browser history, List of installed and running apps, messaging app messages, Skype chat logs, calendar entries and stored emails.

    Upgrade – Requests the application host to download and install and upgraded package from a specified URL.

    CamCmd – Requests the application to take a screenshot or photo using the front or rear camera.

    EmailAttCmd – Retrieves a specified email attachment.

    SMS/MMS/WAP – The Android version can receive commands via SMS messages that are disguised to appear as Google authentication tokens. Its interesting to note that the commands appear to be compatible with the ones from the iOS version. They include a command number , an ack (acknowledge) ID, command arguments and signature. The following string shows the basic command structure:

    text:[Six Digits] [Command Number]a=[ACK ID] & [Command Arguments]&s=[Message Signature]
    The commands are placed in number shortcuts from 0 to 8.

    Message Queue Telemetry Transport (MQTT) – The Android version is able to communicate to the servers via the MQTT protocol. The malware is able to perform a network connectivity check and based on the available resources and performance can enable this feature.

    Phone Calls – The Pegasus Malware can handle modify its behavior when it comes with contact the these two numbers – *762646466 and *7626464633. They toggle built-in options which control the C&C server communications.

  • Target Applications – The apps can target a large list of apps. The current iteration includes WhatsApp, Skype, Facebook, Viber, Kakao, Twitter, Gmail, Android’s Native Browser (or Chrome), Android’s Native Email and the calendar app.

  • Surveillance – The malware supports live audio surveillance, as well as taking screenshots and live camera capture. In addition the remote attackers can engage the built-in keylogger.

  • Killswitch – The Android version is able to kill itself if a certain condition is met. There are four case scenarios which are associated with the killswitch – The MCC subscribe ID is invalid; an antidote file is found in /sdcard/MemosNoteNotes; The malware has not contacted the servers for more than 60 days or the relevant command has been issued by the servers.

  • Persistence – The virus is able to create a persistent state of execution which makes manual removal very difficult.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Pegasus Malware Differences from the iOS Version

The Android strain does not require the use of a zero-day vulnerability to root the target device. Instead the hackers have used a relatively well-known technique known as Framaroot which is used to root the device and install the malware in an efficient manner. The operators have embedded a notification window which asks for permission from the owners to ask for additional privileges. A failsafe mechanism is also included if the initial root attempt fails.

The consequences of a Pegasus malware infection are devastating. The infected devices become a tool for espionage and can be used to further spread viruses to other potential victims. Google has published an extensive security report about the threat, the company has named the threat Chrysaor. A limited number of infections have been detected, at the time of writing this blog post most of them are located in Israel, Georgia and Mexico.

Users can defend themselves from the Pegasus malware by following some of the basic security tips offered by the company:

  • Install applications only from the official Google Play repository.

  • Use a secure lock screen with a strong code.

  • Update your device regularly.

  • Ensure that the Verify Apps feature is enabled.

  • Use The Android Device Manager to recover lost devices.

We would like to remind our readers that infections done by PCs are also a possible infection vector. This is the reason why we recommend that everyone use a quality anti-spyware solution for protection.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts