K7 Mobile Security has been detecting this spyware since April 2017, as shown in the table below.
A few hashes for your reference:
| Malware Hash | Detection since | Detection Name |
| 3a69bfbe5bc83c4df938177e05cd7c7c | 7/4/2017 | Spyware ( 0050ac201 ) |
| ee053dac91564a6c2419c0adb09a4165 | 7/4/2017 | Spyware ( 0050ac201 ) |
| 7c3ad8fec33465fed6563bbfabb5b13d | 7/4/2017 | Spyware ( 0050ac1f1 ) |
| 19c9f373bf8cb4d4ce6958b1c120ed03 | 7/4/2017 | Spyware ( 0050ac1f1 ) |
| cc9517aafb58279091ac17533293edc1 | 07-04-2017 | Spyware ( 0050ac201 ) |
| 20602a9fb071d3ce60c24b9c221d7d08 | 07-04-2017 | Spyware ( 0050ac201 ) |
We have additional detections after these dates as well. File hashes are referred from Virustotal.
Why Pegasus?
This spy software from NSO Group is claimed to be used by authoritarian governments as a surveillance tool to track rights activists, journalists, and lawyers around the world
- Pegasus spyware can harvest any data from a victim’s phone like SMS, Email, Photos/Videos, Contacts, and WhatsApp Chats, as well as activate the microphone, activate the camera, record calls, etc.
NSO Group, a private firm based in Israel, says their software is intended for use against criminals and terrorists and is made available to military, law enforcement, and intelligence agencies of different countries.
Media outlets under investigation say that the phone numbers on the list are from 50 countries and include politicians and heads of state, business executives, activists, and several Arab royal family members. More than 180 journalists were also found to be on the list, from organisations including CNN, the New York Times, and Al Jazeera.
Many of the numbers were clustered in 10 countries: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates, according to the reports.
”They are on a list of some 50,000 phone numbers of people believed to be of interest to clients of the company, NSO Group, leaked to major news outlets.
It was not clear where the list came from – or how many phones had been hacked.”
Source – https://www.bbc.com/news/technology-57881364
A significant incident:
The murder of Jamal Khashoggi, a US-based critic of Saudi Arabia’s government, was accomplished using this spyware to monitor the people closest to Khashoggi and other people of his inner circle.
Scandal in India
An issue similar to the current issue of spying on Indian politicians’ phones was reported in 2019.
October 30, 2019 – WhatsApp’s parent company Facebook confirmed that Pegasus, a sophisticated snooping software developed by Israel’s NSO Group, targeted Indian journalists, activists, lawyers and senior government officials.
- The IT Ministry of India sought a detailed response from WhatsApp on the issue
- They responded that they had alerted the government on two occasions – once in May and again in September 2019
- The Indian National Congress party alleged that the Narendra Modi-led government had been caught snooping on journalists, activists, lawyers and senior government officials
- They later alleged that their leaders, including general secretary Priyanka Gandhi, were also being targeted
- They also claimed WhatsApp sent messages to different people whose phones were hacked
- One such message was also received from the WhatsApp of Priyanka Gandhi a few months before the attack in 2019
Reference: https://en.wikipedia.org/wiki/Pegasus_(spyware)#Discovery
Note: It is not yet clear if the company/government is monitoring Indian targets.
Attribution to NSO Group, Israel
Pegasus for Android (reported on April 4 2017) is the companion app to Pegasus for iOS, a full-featured espionage platform discovered in August 2016 infecting the iPhone of a political dissident located in the United Arab Emirates. Researchers from Google and the mobile security firm Lookout found the Android version in the months following as they scoured the Internet. Google said an Android security feature known as Verify Apps indicated the newly discovered version of Pegasus had been installed on fewer than three dozen devices.
”Pegasus for Android is an example of the common feature-set that we see from nation-states and nation state-like groups.“ A ”cyber arms dealer“ named NSO Group developed the Pegasus malware, which jailbreaks or roots target devices to surveil specific targets.
Both the Lookout and Google blog posts attributed Pegasus for Android to NSO Group, an Israel-based seller of computer exploits credited with creating Pegasus for iOS. So-called lawful intercept software is ostensibly sold to legitimate law enforcement agencies so they can investigate and prosecute crimes. However, in practice, the tools are routinely used against citizens of Russia, Iran, and many other countries with repressive governments.
”These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world but also the virtual world.”
Technical Details
Pegasus for Android offers a wide array of spy functions, including:
- Keylogging
- Screenshot capture
- Live audio and video capture
- Remote control of the malware via SMS
- Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao, Gmail, Android’s Native Browser and Chrome, Android’s Native Email
- Browser history exfiltration
- Email exfiltration from Android’s native email client
- Contacts and text message exfiltration
- Disabling system updates
The iOS version of Pegasus took hold of targeted devices by exploiting a trio of critical security vulnerabilities unknown to Apple and most other security researchers. All that was required for an iPhone to be infected was that it opened a booby-trapped website. (Apple patched the vulnerabilities as soon as researchers from Citizen Lab and Lookout announced their discovery.) If the attempted iOS jailbreak was unsuccessful, Pegasus would abort all attempts to infect the iPhone.
Pegasus for Android, by contrast, doesn’t rely on zero-day security bugs to root target devices and infect them. Instead, it uses a well-known rooting technique called Framaroot to override security safeguards built into the Android OS. In the event the rooting doesn’t work, the espionage app seeks permissions required to exfiltrate data. As a result, Pegasus for Android is easier to deploy and has additional opportunities to take hold if the first attempt fails.
