S0316 Pegasus for Android
Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. 1 2 The iOS version is tracked separately under Pegasus for iOS.
| Item | Value |
|---|---|
| ID | S0316 |
| Associated Names | Chrysaor |
| Type | MALWARE |
| Version | 1.2 |
| Created | 25 October 2017 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| Chrysaor | 1 2 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1429 | Audio Capture | Pegasus for Android has the ability to record device audio.1 |
| mobile | T1645 | Compromise Client Software Binary | Pegasus for Android attempts to modify the device’s system partition.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | Pegasus for Android listens for the BOOT_COMPLETED broadcast intent in order to maintain persistence and activate its functionality at device boot time.1 |
| mobile | T1404 | Exploitation for Privilege Escalation | Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.1 |
| mobile | T1644 | Out of Band Data | Pegasus for Android uses SMS for command and control.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.001 | Calendar Entries | Pegasus for Android accesses calendar entries.1 |
| mobile | T1636.002 | Call Log | Pegasus for Android accesses call logs.1 |
| mobile | T1636.003 | Contact List | Pegasus for Android accesses contact list information.1 |
| mobile | T1418 | Software Discovery | Pegasus for Android accesses the list of installed applications.1 |
| mobile | T1409 | Stored Application Data | Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.1 |
| mobile | T1422 | System Network Configuration Discovery | Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.1 |
| mobile | T1512 | Video Capture | Pegasus for Android has the ability to take pictures using the device camera.1 |