Pegasus for iOS

Pegasus for iOS is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. [1] [2] The Android version is tracked separately under Pegasus for Android.

ID: S0289
Type: MALWARE
Platforms: iOS
Version: 1.1
Created: 25 October 2017
Last Modified: 24 January 2020

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

Pegasus for iOS captures call logs.[1]

Mobile T1432 Access Contact List

Pegasus for iOS gathers contacts from the system by dumping the victim's address book.[1]

Mobile T1409 Access Stored Application Data

Pegasus for iOS accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.[1]

Mobile T1438 Alternate Network Mediums

Pegasus for iOS uses SMS for command and control.[1]

Mobile T1429 Capture Audio

Pegasus for iOS has the ability to record audio.[1]

Mobile T1412 Capture SMS Messages

Pegasus for iOS captures SMS messages that the victim sends or receives.[1]

Mobile T1456 Drive-by Compromise

Pegasus for iOS was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.[1]

Mobile T1404 Exploit OS Vulnerability

Pegasus for iOS exploits iOS vulnerabilities to escalate privileges.[1]

Mobile T1477 Exploit via Radio Interfaces

Pegasus for iOS was delivered via an SMS message containing a link to a web site with malicious code.[2]

Mobile T1430 Location Tracking

Pegasus for iOS update and sends the location of the phone.[1]

Mobile T1400 Modify System Partition

Pegasus for iOS modifies the system partition to maintain persistence.[1]

Mobile T1426 System Information Discovery

Pegasus for iOS monitors the victim for status and disables other access to the phone by other jailbreaking software.[1]

Mobile T1422 System Network Configuration Discovery

Pegasus for iOS monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.[1]

References