Thursday, October 10, 2024
HomeMalwareA Highly Sophisticated Victim’s Activities Monitoring Android Spyware "Notorious Pegasus" Discovered

A Highly Sophisticated Victim’s Activities Monitoring Android Spyware “Notorious Pegasus” Discovered

Published on

[jpshare]Notorious surveillance software called Pegasus Andriod spyware has been Found which Monitor all the Vicims activities including take Screenshots, capture audio,Camera,Contact list Keystroke logging,read email and pull the data’s from the users Android Mobiles.

Google and the Lookout Security Intelligence team Discovered thisPegasus  Malware and Explained that ,existed as an Android application (APK) that compromised the device to install its malicious payload.

Google Said , This Pegasus Spyware originally Created by NSO Group ,According to news reports, NSO Group sells weaponized software that targets mobile phones to governments.

- Advertisement - EHA

News reports indicate that the Pegasus spyware is sold for use on high-value targets for multiple purposes .

Google and Lookout announced the discovery, Google named this family of spyware
Chrysaor . Lookout references the “Chrysaor naming as part of the Pegasus for Android variant” of the Pegasus family first discovered on iOS

How Chrysaor Works :

To install this Chrysaor Spyware ,attacker specifically target the victim .and force them to install to their phone.

Once Chrysaor is installed Chrysaor Spyware remotely communicate with the Attackers command control Server and once connection has been established , its Automatically surveil the victim’s activities .

While installing this Spyware , exploits to escalate privileges and break Android’s application sandbox.

Specifically Chrysaor Spyware gain the super user privilege of the victims Mobiles and started to spying the users Activities .

Pegasus Detected as Anomalous Malware :

Lookout Security Intelligence team said , Analyzed the data that indicated these findings were anomalous.
 
Security Intelligence analysts were able to pinpoint a suspect set of apps which did not exist anywhere else in the world, including in public app stores or on public sources like VirusTotal.
 

“These apps contained metadata such as package names and signer information that only appeared in very limited cases which correlated with Pegasus-specific IOCs.”

Communication Methods :

Lookout Security Said ,Android equivalent is capable of communicating to attacker-controlled infrastructure via a number of different mechanisms and protocols. This includes via SMS, over HTTP, and through the Message Queue Telemetry Transport (MQTT) protocol.
  • A command included in the initial configuration.
  • A command sent via SMS.
  • A command sent in an HTTP response from an existing C2 server.

Targeted Applications :

According to the  Lookout Security , These are the Target Applications by Pegasus Spyware .

  • WhatsApp
  • Skype
  • Facebook
  • Viber
  • Kakao
  • Twitter
  • Gmail
  • Android’s Native Browser or Chrome
  • Android’s Native Email
  • Calendar

Analysis showed that in order to achieve this, Pegasus for Android first checked whether certain messaging app databases were present before using its super user access to query them and retrieve user content.

This included email messages, chat conversations, sent attachments, and cached content. We observed Pegasus for Android modifying the read, write, and execute permissions of the databases it targets to be accessible by all users.

Also Read :

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...

Wireshark 4.4.1 Released, What’s new!

Wireshark, the world’s leading network protocol analyzer, has just released version 4.4.1, bringing a...

Multiple VMware NSX Vulnerabilities Let Attackers Gain Root Access

VMware has disclosed multiple vulnerabilities in its NSX product line that could potentially allow...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

LemonDuck Malware Exploiting SMB Vulnerabilities To Attack Windwos Servers

The attackers exploited the EternalBlue vulnerability to gain initial access to the observatory farm,...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...