Malware Analysis of Pegasus Spyware
Introduction
This research servers as a comprehensive report on Jonathan Boyd Scott’s, also known as, Jonathan Scott’s malware samples of Pegasus Spyware for Android Devices that’s uploaded to his GitHub Repository, so don’t forget to shoutout to him because without the samples from his GitHub, this research wouldn’t have been possible. There will be comprehensive analysis of both Dynamic and Static Analysis of this spyware presented here on all the six present samples that are available. The sixth sample being sample 6 is in XML format and the APK isn’t provided, so it will only be researched statically. We will not be analysing sample 5.1 in this report as it relates to sample 5.0 and functions the same way as the other analysed samples of Pegasus that are presented below.
For those who don’t know what Pegasus Spyware is, it simply is just a zero-day click espionage tool developed by the Israeli NSO Group (Which is a group that works with the Israeli Government) that is used by International Government and Intelligence Agencies to spy on activities related to crime and terrorist activities.
The Static Analysis will be performed using JADX — Dex to Java Decompiler.
The report
As you all know that we normally begin our research on malware from Threat Intelligence Engines such as VirusTotal, Joe Sand Box and the similar. Therefore, without further ado, let’s get started with this research.
Pegasus Sample 1:
This report will be presented here for the first sample of Pegasus Spyware. You can access the sample from this GitHub Repository. While this isn’t actually the Pegasus Malware itself, and just a random game advisor developed by some Chinese people. The malware uses the same injector as Pegasus to help spread it around, which gives us an idea about how Pegasus actually works, contrary to popular belief that’s spreaded by Jonathan about it being Pegasus itself, it isn’t, but it rather gives a deeper understanding about how Pegasus actually works.
Dynamic Analysis:
After opening the app, it looks pretty Chinese. The background is Chinese, the texts used in the app are Chinese and the whole app is in Chinese. The app itself doesn’t show symptoms as it should when performing analysis, because of the stealthness of such malware and the activities that such malware produce. Of course, it’s important to say that when installing the app, it was flagged by Google Play Protect as well. The malware was monitored for a good one whole day before proceeding with Static Analysis.
Threat Intelligence Engine Static Analysis:
You can access the comprehensive VirusTotal Analysis of this malware sample from here.
This would make more sense to why the sixth sample is only an XML File, since the main point of exploit for this malware is the devices capability to read XML Files. We can even see other capabilities this program has such as checking your GPS Data, Exiting a program, It contains ELF Files (Which are meant to mainly be ran in Linux Operating Systems as executables, this would make sense that the spyware might have some kind of payload linked to it), it has the ability to exploit telephony vulnerabilities (This is something similar to SS7 Vulnerability), It has the ability to access clipboard data, it has the ability to even exploit dynamic call tracking (Which utilizes Dynamic Number Insertion, to show different phone numbers to various audiences and campaigns) and even checks for your devices CPU Information.
While the malware family of this specific sample is the same as the Pegasus family, it’s important to note that this malware is not Pegasus, but uses the injector which Pegasus uses.
We can even see that it’s executable, this explains the function of the ELF File Extension.
It looks like, using Social Engineering Techniques, this malware was meant to be obfuscated as a form of Game Assistant for the Android Device, but eventually got itself detected. Thus, why it’s been given the name of a Trojan Malware, since this is what a Trojan is meant to do.
We can even further see the permissions that this spyware can exploit. This includes access to the entire system, it gets to know when the device boots up, access to root privileges (This is another way to say System Administrator, which gives full control over the System and it’s resources, including the Operating System Files), Access to Read Storage, Access to Read Phone State (Which gives the spyware access to your devices accounts, phone book, installed cookies linked to accounts, sync function and more), Access to get your accurate location, Access to Write to Internal and External Storage (This means it can create files and do the similar), Access to your network information and even your real-time activities as you’re using the device.
We further get more information on the executable as well having existed since 2013.
While it does say the exectuion parent belongs to Pegasus, it’s specifically referring to the injector sample that was used on this malware sample.
This is a fact through the module inject as referenced there, since it’s an ELF File, it has has the ability to exploit Linux. This injects the malware into other files and apps on your devices and network.
You can access the detailed analysis from the Joe Sand Box from here, while not everything will be shown here in this threat intelligence report since it’s quite long, only the necessary will be shown here:
We can see here that the program has more abilities of performing spy activities, evade anti-malware and anti-virus as well as function as a Trojan and get access to banking information.
These suspicious permissions include the ability to mount to system partition as writeable and request for root access to the system to run some kind of installer. This could be an installer for more malware. We can even see that it uses root access to access the injector as well, this may be so to inject system files with spyware (not Pegasus, but the Chinese Game Assisstant itself).
Which is obvious, since Android is based on the Linux Kernel, this is needless to say that we can’t know if this file is made to infect only Android or other Linux Systems including PS4’s and the similar.
This could lead to the potential threat of the malware being used to steal data and other information then send it back to the attacker. We can further see below from Whois Information that this domain is hosted in Alibaba Cloud and that the domain is based off of China as well:
Once again, the domain on the email ties to a person in China and not Israel, which makes it obvious that the malware is Chinese based and not the real Pegasus, just an injector that can give an idea of how the Pegasus malware works.
As seen above, we see the whois information of the site being redirected to China as well with servers hosted in China.
Source Code Static Analysis:
We can see from here that we have different information such as Digital Fingerprints (This is very unique and important in digital forensics as it’s unique to the program) and unique identifier showing the same email of that Chinese.
We can see all the suspicious permissions that this malware has here, including that it is in XML Format as well, just as shown in the VirusTotal Result, that it’s made to be in XML. This same permissions are in the VirusTotal Analysis and the Joe Sand Box Analysis as well.
This further showing the code of the ELF File performing Network Enumeration remotely, Injecting malicious code into a process in the background, Executing Remote Arbitraty Code and Downloading malicious parameters into the device. This should give a basic function of how Pegasus works, since the injector is from a sample of the Pegasus Spyware and edited (While the malware itself isn’t Pegasus, the Chinese took it and made a copy of their own spyware that functions in the same exact manner as Pegasus itself).
We can further see that all the malware files including the injector is present within the Source Code of the APK File.
As we can see that the malware has the ability to query the device for files within the system and gain root, excluding files that can’t be found, and even has the ability to find the root path. What’s suspicious is the permission for the WebKit (Showing that the information is most probably getting sent back to the attacker) and Map as well as the Operating System Information.
Over here, we see some more information about the developer including another domain they use including their QQ Information. If we query the domain in whois, we don’t really get information since the domain doesn’t exist:
Nonetheless, from the domain name itself, we can get the basic understanding that it’s Chinese-based. Since the domain itself is more of domain name that looks to be based off of China.
The HTTP Connection is for the attacker to send and receive information from the victim via a command and control server, while the SMS is mostly for SMS Fraud.
We can see from here that the Pegasus Injector Helper runs the executable Inject and SO File libghost.so, which are both malicious programs as shown earlier (Execute Arbitrary Code, Nmap Scan and more). The app even requests and waits for root from here as well.
As seen here, the native installer has the ability to install files and load the Pegasus Injector Payload into the system, to inject into the file that it’s installing. It even has the ability to create directories within the system.
We can now see that the Pegasus Injector Install Helper has the ability to inject the payload into the system after the root has been granted by the system administrator.
Well, that’s all for the analysis of sample 1. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Sample 2:
This report will be presented here for the second sample of Pegasus Spyware. You can access the sample from this GitHub Repository. Apart from the analysis performed above, this is a sample of Pegasus itself, as we are going to see.
Dynamic Analysis:
Program is flagged by Google Play Protect during installation, and is very stealthy enough to not show any symptoms of infection, exactly the same as the first sample analysed. Nonetheless, sometimes the device shows that there’s a message being sent, but when opening the SMS Program, there isn’t a SMS there (This shouldn’t worry me since I used a spare phone without any data in it). The malware has the ability to hide the icon of itself and only gives an error once opened that the app cannot work on the phone, then closes itself and hides itself. This dynamic analysis took one day before finishing.
Threat Intelligence Engine Static Analysis:
For the full VirusTotal Report on this sample, please visit this page.
We even get to see that the malware is spread via Tor, it’s obfuscated in a way that it can’t be easily detected once installed and it even has the ability to send SMS.
It looks like this malware is made to funtion as an Android Rootkit, so once it’s hidden itself, it identified as part of a system software when it isn’t. Thus, the package name makes it obvious that anyone looking for this malware wouldn’t identify it easily during Dynamic Analysis, because it has a system name tied to it which makes it look like a system software when it isn’t.
This malware has the ability to connect to the internet, change your phones configuration settings, read your calendars, read your contacts, write information to browser history bookmarks, change WiFi State, change the Time Zone, Open System Alert Windows, and even Record Audio.
Now we can get to the Joe Sand Box Report on this malware, which you can view from here. Please note that only necessary parts of this analysis report will be shown here, but not the full report. You can however, check the full report from the link yourself.
This could have been further analysed through dynamic analysis as well, but since my device doesn’t have root, I couldn’t access the system files to check the base.apk, this simply means that the malware acts as a downloader and dropper for the malware itself.
This is when the malware used the Google Mobile Services to transfer data back to the Command and Control Servers of the attacker, who deployed this malware and a raw data value is seen as well.
Now since we’re done reviewing the Threat Intelligence Engine Reports, this gives us a basic overview of what this malware is capable of doing and will help during the Source Code Static Analysis as we shall see below.
Source Code Static Analysis:
These are the same suspicious permissions covered under the Joe Sand Box Threat Intelligence Engine’s Analysis. We can see from here that this app can do more than what the previous analysed app can do, this is a good marker for the Pegasus Malware. This malware can do a lot more harm than the other program with all these permissions that it needs.
This further even shows that the app has the ability to get root access as well. Root access is represented by su, which means super user.
This is dangerous since system files are only supposed to be accessible through the means of gaining root, changing the permission to Read, Write and Executable (777) can risk the system files being accessed and even deleted by anyone, changed by anyone, or even worse, messed up by anyone. This is risky because these file permissions aren’t supposed to be changed this way and can cause fatal issues later in the future to the device itself.
This is mostly done using root priviliges within the system, since without root privileges, these system files cannot be changed. Root is simply the highest privileges given to a linux system administrator.
We can further see that it has the ability to log received messages, access the editor from the SkeletonActivity Code that we checked on earlier that has the ability to perform very suspicious activities, print a message to the screen and even embed the messages to a HTML Document.
Well, that’s all for the analysis of sample 2. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Sample 3:
This report will be presented here for the second sample of Pegasus Spyware. You can access the sample from this GitHub Repository.
Dynamic Analysis:
The app is fallged by the Android Play Protect during installation but requests for all permissions to be granted, after that, it begins crashing itself several times and then hides itself, the app has the name that’s similar to a System Software called Media Sync. Although this is not a Media Sync Tool, anyone would fall for the fact that this app would be very difficult to detect and remove because it functions as a rootkit. This dynamic analysis took one day before finishing.
Threat Intelligence Engine Static Analysis:
You can view the entire VirusTotal Report from here.
We can even see that the app contains an executable ELF File, which I’m sure is the Pegasus Injector that was analysed previously on the first sample. This time, being used in the real sample of the Pegasus Spyware itself. We can even see it’s obfuscated, this is mostly the aspects of Trojan and the ability of the malware itself so it doesn’t get easily detected, and this can even involve the change in the code in a way it doesn’t get detected by Anti-Malware as well.
The app has the ability to read calendar information, access the internet, change your devices configuration settings, read your contacts, write information to browsing bookmark history, change the WiFi State, change the time zone, change the sync settings, display system alert window and even has the ability to perform suspicious activities and run suspicious services.
This is obvious because these services and activities correlates to the package name, which makes it obvious that it has the ability to hide itself. Also, the way how the app is structured from the Dynamic Analysis Point-of-view makes it obvious that the app itself can function as a rootkit and hide within the system pretending to be a system software when it isn’t after the app hides itself.
This is obvious since Android runs under the Linux Kernel. Nonetheless, since this version of Pegasus is meant to exploit the capabilities of Android Devices, we can be sure that this can’t exploit other flavors of Linux including the PS4 since it wasn’t built for that.
We can see from here that the execution parent is a EXE File. This shouldn’t however trick us since we know that Pegasus is mainly meant to exploit Android and iOS. Nonetheless, this would simply mean that some samples of the ELF File were possibly copied and used to make the executable just like it is in the first sample. Nonetheless, the EXE File is most likely not Pegasus.
Over here, we can see the information on the resources within the APK File, this includes some of the infected files that are probably injectors for Pegasus used to spread the Malware over the network or into other apps and processes, to exploit Privilege Escalation, like the first sample, but this time used in a real sample of Pegasus itself. We can further see that the IDE used for the development of this malware is the Eclipse Android IDE. Unlike the second analysis of the Pegasus Malware which downloaded a payload in the background named base.apk, this one injects the payload and malicious code that it already has embeded into a Linux Executable.
You can access the detailed information from the Joe SandBox Analysis from here.
These include checking if the boot is completed, checking for received SMS, Accessing the Phone State (This can give access to cookies and saved sync data).
While the services used are mostly from the app itself, we can see that one of them has the ability to access network information.
Since we are now done with the analysis using the Threat Intelligence Engine for this spyware, we can further begin to perform Source Code Analysis since we now have an idea of what to expect when performing the Source Code Analysis.
Source Code Static Analysis:
The code of the injector is the exact same code as the first sample as well, if you go through it and check it properly. The code meant to exploit RCE (Remote Code Execution), Run nmap and inject a malicious process into an application, process or memory within the system, as explained in the analysis of the first sample.
This could be quite obvious to understand that the US Army helped the NSO Group in building some parts of Pegasus Spyware.
You can read more about Libpng from here. Nonetheless, it seems that some of the source code behind libpng was used in the Pegasus Malware.
This is the same package name and information given by the VirusTotal and the Joe SandBox as well. The suspicious permissions, services and receivers are the same as well.
As we can see, it even has the ability to change it’s own theming capabilities as well to change the way it looks.
This app can create strings for Intrusion Detection Systems, Enhanced Web Accessibility Settings, Filtered Events as well as get feedback from the Accessibility Service of the device.
As you can see that the app has a lot of obfuscation that can’t be properly readbale, but it’s easy to identify that this is malware if you understand code, even with the obfuscation that’s applied. This is a method called encoding, which is normally used to hide from Anti-Malware Scanners.
Well, that’s all for the analysis of sample 3. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Sample 4:
This report will be presented here for the second sample of Pegasus Spyware. You can access the sample from this GitHub Repository.
Dynamic Analysis:
The apps installation is flagged by Google Play Protect, but after the app is installed and all the permissions are granted, it has a Chinese Interface when opened and closes itself with a Chinese name, with the icon hiding itself. The Android System shows the “Sending Message” but is not really responsive to what it’s sending as if the Messages app is checked, there’s nothing there. This app was under a test for one day, and it’s undoubtably another one of those apps that isn’t really Pegasus, which is the same as the first analysed sample of the malware as seen above.
Threat Intelligence Engine Static Analysis:
For the full VirusTotal Analysis Report, please visit this link.
The result is similar to the first sample with the program containing an ELF, Able to exploit Telephony Vulnerabilitiy, Detect Debug Environment, Perform Reflection, Check for GPS Coordinates, Check for CPU Information, and is obfuscated. The information from the YARA Rule is the same as the one in the first sample as well.
We can even see that there is an Executable in the APK File, which of course is the ELF File, which is a Linux Executable. This makes sense since Android is built over the Linux Kernel. Needless to say, since this file is meant to exploit Android Devices atmost, it’s undoubtful that it could exploit other Linux Systems such as PS4 or a PC, but questions of doubt can still be raised as we saw in the previous analysis that the Injector was parented to an EXE File, so it’s still possible, with all these files.
This is most likely because it’s used a Trojan, so it could not be from Lenovo. Nonetheless, since we are sure this app isn’t Pegasus, but rather using the Injector just as the first sample, we could conclude that it’s been made by the Chinese because of it’s Chinese User Interface.
Once again, since the app doesn’t have anything to do with Lenovo and doesn’t have a Lenovo Interface when opened (It just crashes and disappears), it is right to say that these intentions, providers, services, receivers and permissions were edited by these Chinese Developers to make it look like a Lenovo Application when submitted to Threat Intelligence Engines for Analysis, or when a Malware Analyst performs the analysis themselves, this is a good way of obfuscating the identity of a trojan.
You can view the full Joe Sand Box Malware Report from here.
Over here, it makes sense that this app isn’t pegasus since it has less permissions than the actual pegasus samples as well, the other Chinese Program that was checked which wasn’t Pegasus, but rather using the Pegasus Injector, gave us a basic idea of how Pegasus functions through the apps ability to exploit permissions and other methods and ways which the apps code is set to work with the injector, the same applies to this app as well.
Now, since we have some understanding of how this app functions from the Threat Intelligence Engine Analysis, let’s look into the analysis of the source code below.
Source Code Static Analysis:
We can further see that it established a connection to the SQLite Database in the device to save the database into the device, for rogue anti-malware entry.
The app is therefore set to filter for these process, to probably end them.
The app is set to get some permissions and execute some files within the root of the system (This is if root is present in the system).
This probably works hand-in-hand with the rogue anti-malware program, to redirect traffic going through that firewall back to the Command and Control Server. This is done through an ELF File that’s renamed to a DAT file.
I won’t explain again what this is, as it’s already explained in the two previously analysed samples.
The app has the ability to change the hosts file and redirect DNS Traffic to the Command and Control Server, this can cause malicious pop-up’s on Web Browsers and the similar. It makes sense to say that this is tied to the rogue firewall.
This shows the apps capability to change the IP Tables Configuration to their own, it makes sense to say that this works together with the rogue firewall.
This is a different APK File, which I’m sure is what the app is designed to install after it’s installed since it’s packaged within the app, and is most likely malicious.
This app is probably used to encrypt files or drop ransomware and functions as a method to encrypt, since such cryptographic functions are found in ransomware or programs that function with encryption capabilities.
Since it has suspicious titles tied to it including DHL, UPS, and the similar, it could be right to say that this app could be used to perform shipping fraud. The numbers it dials are probably mobile codes for these services.
The cryptor is most definitely tied to the leskey.key which is used to perform cryptographic functions such as ransomware or encryption of something within the system, or some files. We can see there’s even a SMS Checker and SMS Parser in this app, and a location tracing capability, which means the app has the ability to get information from GPS.
These suspicious permissions are the same permissions given by Joe SandBox and VirusTotal as seen above.
Well, that’s all for the analysis of sample 4. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Sample 5:
This report will be presented here for the second sample of Pegasus Spyware. You can access the sample from this GitHub Repository.
Dynamic Analysis:
This app is flagged by Google Play Protect during Installation, but after installing it. The app just hides the icon and doesn’t show any signs of suspicion after that, the app functions to look like a system app which makes it hard to detect. This makes it function as a rootkit. This app is similar to the second sample that has been analysed with the ability to exploit more functions.
Threat Intelligence Engine Static Analysis:
You can view the full VirusTotal Report from here.
Yes, this app is a sample of Pegasus as well, not a tool that functions with the usage of the Pegasus Injector like the past two analysed samples. This app uses reflection, has the ability to check GPS, perform dynamic call functions, send SMS, get root access into the system, and is obfuscated as well, just as stated. This app is Pegasus using it’s own Injector ELF File to exploit and inject malicious code as explained in previous samples that have been analysed.
This just shows that this app isn’t old and that Israeli Intelligence and International Government’s are still gathering as much information as they can from their suspects using this malware. The malware is executable, which is obvious because of the ELF File.
This results to the app being hard to detect, as it poses to be a system software when it’s just an application software. This is the function of a rootkit, and it’s how they hide themselves. In addition, let’s not forget that the app is a trojan.
You can view the full Joe Sandbox Report from here.
The base.apk file is the same file name that is dropped in sample two as seen in the analysis of that version of Pegasus.
It’s obvious that the certificate contains false information since we are very aware that Pegasus is Israeli.
Now since we’ve seen and confirmed what this malware sample can do, we know what we can expect during source code analysis, but we can even get more information from there like we have in every other analysis that was done statically, so let’s get into it.
Source Code Static Analysis:
From the analysis of the previous samples, we see reference of this copyright tied to IBM being related and tied to Andrea Dilger, whom I suspect could be the one who helped in programming Pegasus since his software is used in the Pegasus code, but I suppose this is most likely tied to the Eclipse IDE being owned and copyrighted by IBM.
For the looks of the permissions and other settings and intents that this app is designed to perform (Which are the same as VirusTotal and Joe SandBox Analysed), it’s obvious that this app is malicious. The only function it does when you open it is show a black screen then close itself and hide the app icon.
I’m not going to explain what this does, as I’ve already explained in the past two samples that have the same file.
This could be done to possibly exploit SS7, as stated earlier in sample one.
Well, that’s all for the analysis of sample 5. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Sample 6:
This report will be presented here for the second sample of Pegasus Spyware. You can access the sample from this GitHub Repository.
Source Code Static Analysis:
Since this sample is just the Raw XML Output of the malware, no analysis can be done on it, but it only gives us the output of the permissions that the sample of the app can exploit. This will however be good enough for a short source code static analysis before we end this report.
Well, that’s all for the analysis of sample 6. If you’d like to perform your own analysis, you can and if you want to use my research inclusive to yours, don’t forget to leave me the credit for the analysis.
Conclusion:
As we have seen above that not all of Jonathan’s samples are actually Pegasus and only some of them are and we have seen ourselves of what Pegasus is capable of apart from the other samples that aren’t Pegasus as well. We can hereby conclude that some of Jonathan’s research on Pegasus should need to be redone to understand the objective of why the Injector is used on other programs and even EXE Files that aren’t linked to Pegasus at all, since I have done the research here, I can conclude that I have helped Jonathan through this investigation through this research and have given him a better understanding of the samples that are in his GitHub Repository.
