Monday, November 25, 2024
HomeMalwareA Highly Sophisticated Victim’s Activities Monitoring Android Spyware "Notorious Pegasus" Discovered

A Highly Sophisticated Victim’s Activities Monitoring Android Spyware “Notorious Pegasus” Discovered

Published on

[jpshare]Notorious surveillance software called Pegasus Andriod spyware has been Found which Monitor all the Vicims activities including take Screenshots, capture audio,Camera,Contact list Keystroke logging,read email and pull the data’s from the users Android Mobiles.

Google and the Lookout Security Intelligence team Discovered thisPegasus  Malware and Explained that ,existed as an Android application (APK) that compromised the device to install its malicious payload.

Google Said , This Pegasus Spyware originally Created by NSO Group ,According to news reports, NSO Group sells weaponized software that targets mobile phones to governments.

- Advertisement - SIEM as a Service

News reports indicate that the Pegasus spyware is sold for use on high-value targets for multiple purposes .

Google and Lookout announced the discovery, Google named this family of spyware
Chrysaor . Lookout references the “Chrysaor naming as part of the Pegasus for Android variant” of the Pegasus family first discovered on iOS

How Chrysaor Works :

To install this Chrysaor Spyware ,attacker specifically target the victim .and force them to install to their phone.

Once Chrysaor is installed Chrysaor Spyware remotely communicate with the Attackers command control Server and once connection has been established , its Automatically surveil the victim’s activities .

While installing this Spyware , exploits to escalate privileges and break Android’s application sandbox.

Specifically Chrysaor Spyware gain the super user privilege of the victims Mobiles and started to spying the users Activities .

Pegasus Detected as Anomalous Malware :

Lookout Security Intelligence team said , Analyzed the data that indicated these findings were anomalous.
 
Security Intelligence analysts were able to pinpoint a suspect set of apps which did not exist anywhere else in the world, including in public app stores or on public sources like VirusTotal.
 

“These apps contained metadata such as package names and signer information that only appeared in very limited cases which correlated with Pegasus-specific IOCs.”

Communication Methods :

Lookout Security Said ,Android equivalent is capable of communicating to attacker-controlled infrastructure via a number of different mechanisms and protocols. This includes via SMS, over HTTP, and through the Message Queue Telemetry Transport (MQTT) protocol.
  • A command included in the initial configuration.
  • A command sent via SMS.
  • A command sent in an HTTP response from an existing C2 server.

Targeted Applications :

According to the  Lookout Security , These are the Target Applications by Pegasus Spyware .

  • WhatsApp
  • Skype
  • Facebook
  • Viber
  • Kakao
  • Twitter
  • Gmail
  • Android’s Native Browser or Chrome
  • Android’s Native Email
  • Calendar

Analysis showed that in order to achieve this, Pegasus for Android first checked whether certain messaging app databases were present before using its super user access to query them and retrieve user content.

This included email messages, chat conversations, sent attachments, and cached content. We observed Pegasus for Android modifying the read, write, and execute permissions of the databases it targets to be accessible by all users.

Also Read :

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Massive Credit Card Leak, Database of 1,221,551 Cards Circulating on Dark Web

A massive data breach has sent shockwaves across the globe, as a database containing...

Nearest Neighbor Attacks: Russian APT Hack The Target By Exploiting Nearby Wi-Fi Networks

Recent research has revealed that a Russian advanced persistent threat (APT) group, tracked as...

240+ Domains Used By PhaaS Platform ONNX Seized by Microsoft

Microsoft's Digital Crimes Unit (DCU) has disrupted a significant phishing-as-a-service (PhaaS) operation run by...

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Russian TAG-110 Hacked 60+ Users With HTML Loaded & Python Backdoor

The Russian threat group TAG-110, linked to BlueDelta (APT28), is actively targeting organizations in...

Earth Kasha Upgraded Their Arsenal With New Tactics To Attack Organizations

Earth Kasha, a threat actor linked to APT10, has expanded its targeting scope to...

Raspberry Robin Employs TOR Network For C2 Servers Communication

Raspberry Robin, a stealthy malware discovered in 2021, leverages advanced obfuscation techniques to evade...