A technical analysis of Pegasus for Android – Part 3

Summary

Pegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty International and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout in this paper, and we recommend reading it along with this post. During our research about Pegasus for Android, we’ve found out that vendors wrongly attributed some undocumented APK files to Pegasus, as highlighted by a researcher here. We’ve splitted the analysis into 3 parts because of the code’s complexity and length. We’ve also tried to keep the sections name proposed by Lookout whenever it was possible so that anybody could follow the two approaches more easily. In this last part, we’re presenting the WAP Push messages that could be used to autoload content on the phone without user interaction, the C2 communication over the MQTT protocol, the exploitation of a vulnerability in MediaPlayer that was not disclosed before, and the ability of the spyware to track phone’s locations. You can consult the second part of the Pegasus analysis here.

Analyst@GeeksCyber

Technical analysis

SHA256: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Pegasus initialization

The agent extracts the Android version, a string that uniquely identifies the build, and tries to retrieve a configuration value called “isItFirstRunEver” that indicates if this is the first run of the malware:

Figure 1

The process verifies whether the “/data/data/com.network.android” directory exists on the device; otherwise, it is created. The existence of the directory means that this is not the first execution of the malware, and the “isItFirstRunEver” value is set to false using the putBoolean function:

Figure 2

It checks the existence of the malicious APK file on the phone and will use the superuser binary called “/system/csk” to run commands with root privileges:

Figure 3

A check for an antidote file called “/sdcard/MemosForNotes” is performed, and the spyware removes itself if this file is found (see figure 4).

Figure 4

The agent calls multiple functions that steal information from the targeted applications, as shown in the figure below.

Figure 5

A value called “screen_off_timeout”, which represents the number of milliseconds before the device goes to sleep or begins to dream after inactivity, is extracted by the process and is compared with 15 seconds. Other configuration values such as “wasPhoneWasUnmutedAfterTapNicly” [sic], “originalVibrateValue”, and “originalRingerValue” are also extracted from configuration:

Figure 6

WAP Push Messages

The process logs a message that indicates a change in the WAP settings:

Figure 7

It retrieves the file permissions of “/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml” and changes them using the chmod command:

Figure 8
Figure 9
Figure 10

The LD_LIBRARY_PATH environment variable is modified, and the above file’s permissions are set to read & write (0666):

Figure 11

The agent changes the WAP settings to enable push messages, as highlighted in the figure below.

Figure 12

The malware verifies if the Build.FINGERPRINT value contains “JPKJ2”, and it stops the Messages app:

Figure 13

The superuser binary called “/system/csk” is expected to be found on the phone (see figure 14).

Figure 14

The malicious process checks for the existence of the SMS/MMS database at “/data/data/com.android.providers.telephony/databases/mmssms.db”:

Figure 15

The permissions of the “mmssms.db”, “mmssms.db-shm”, and “mmssms.db-wal” databases are changed to 0777 (read, write, & execute for owner, group and others):

Figure 16
Figure 17
Figure 18

The agent opens one of the above databases and runs the following SQL query via a function call to rawQuery:

Figure 19

The index of the “href”, “_id”, “read”, “seen”, and “thread_id” columns is extracted:

Figure 20

The spyware tries to delete some WAP push messages that could be used to automatically open a link in a browser on the phone without user interaction:

Figure 21
Figure 22

The WAP messages are deleted by calling the SQLiteDatabase.delete method:

Figure 23
Figure 24

Message Queue Telemetry Transport (MQTT)

Another way to communicate with the command and control infrastructure is using the MQTT protocol.

The “should_use_mqtt” configuration value establishes whether the agent is allowed to communicate with the C2 servers via MQTT, as shown below:

Figure 25

Another config value called “mqttAllowedConnectionType” indicates if the phone is allowed to communicate via MQTT while it’s connected to Wi-Fi (value = 1), mobile data (value = 4), or when the device is roaming (value = 8):

Figure 26

The malware retrieves connection status information about all network types via a function call to getAllNetworkInfo and compares the type of the network with “WIFI” and “MOBILE”:

Figure 27

The isNetworkRoaming function is utilized to verify whether the phone is roaming:

Figure 28
Figure 29

The application extracts the current date and ensures that the token id found in the configuration is not null:

Figure 30

The following values are obtained from the configuration:

  • mqttIdPref – identify a client in combination with the username
  • mqttQos – quality of service for MQTT connections
  • mqttHost – attacker’s MQTT host
  • mqttPort – MQTT port number
Figure 31

The “mqttUsername” config value represents the username used during the authentication with the MQTT server, and the “mqttPassword” value is the password used during the authentication process:

Figure 32

The malware logs a message containing the MQTT URL, username, and password and then calls a function that will start the communication:

Figure 33

The MQTT broker URL is constructed by the malicious process:

Figure 34

The “mqttKaTimer” configuration value represents the MQTT keep alive timer (see figure 35).

Figure 35

Finally, the process makes network connections with the attacker’s infrastructure over MQTT and compares the broker URL with “tcp://”, “ssl://”, and “local://”:

Figure 36
Figure 37

The maximum number of reconnection attempts is stored in a configuration value called “mqttRecCount”:

Figure 38

The agent tries to subscribe to an MQTT topic specified in the configuration, as highlighted in figure 39.

Figure 39

The application logs multiple messages that indicate the successful connection and the subscription to the topic:

Figure 40

The NetworkInfo.isConnected method is used to verify whether there is an active internet connection on the device:

Figure 41

The binary receives the messages from within the topic on the broker that contain commands to be executed:

Figure 42

All commands are added to a queue as we already described in part 2:

Figure 43

The parameter “s=” contains a checksum that will be checked against another computed value in order to confirm that the command was transmitted by the threat actor:

Figure 44

The command transmitted via MQTT contains a token value that identifies the infected device, as displayed in the figure below.

Figure 45

The command will not be executed if the checksums don’t match:

Figure 46

The commands received via SMS that we already described here can be also transmitted using the MQTT protocol:

Figure 47

Email attachments

The emailAttCmd command can be used to retrieve emails and attachments from the EmailProviderBody.db database:

Figure 48
Figure 49

Download files

The malware has the ability to download additional files/packages from a remote URL (see figure 50).

Figure 50

The process opens a connection to a specific URL using the openConnection function and sets the read timeout to 120s and the connect timeout to 1800s:

Figure 51

The response body is read by calling the URLConnection.getInputStream and BufferedInputStream.read functions:

Figure 52

A file is populated with the buffer downloaded from the remote URL via a call to FileOutputStream.write:

Figure 53

Vulnerability exploitation in MediaPlayer

To the best of our knowledge, this is the first mention that Pegasus for Android exploited a vulnerability in MediaPlayer. Unfortunately, the file responsible for exploitation called “/data/data/com.network.android/output.mp3” is empty, and we couldn’t retrieve its content:

Figure 54

The MP3 file is populated at runtime using the FileOutputStream.write function. The file’s permissions are set to 511 by the malware:

Figure 55
Figure 56

The setDataSource method is utilized to set the data source for MediaPlayer. The application prepares and starts the playback, which we believe would result in exploiting a vulnerability:

Figure 57

Track phone’s location

Pegasus spyware has the ability to monitor the device’s location. It verifies if the GPS provider is active by calling the isProviderEnabled function and then obtains location information using the requestLocationUpdates function:

Figure 58

The location is stored in an XMLSerializer object containing the latitude, the longitude, the altitude of the location, the estimated horizontal accuracy radius, and the speed at the time of the location:

Figure 59
Figure 60

The process retrieves the current location of the device via a call to getCellLocation and the numeric name (MCC+MNC) of the current registered operator using getNetworkOperator. The GSM cell id and the GSM location area code are also stored in the XMLSerializer object:

Figure 61
Figure 62
Figure 63

Other relevant activities

The agent compares the Android version with 2.3 and then the phone model with a list, as shown below:

Figure 64
Figure 65

As we already described in part 1, the malware has the capability to upgrade itself:

Figure 66

The application obtains the serial number of the SIM and extracts the “local” configuration value:

Figure 67

The “NetworkWindowSim” config value is extracted and compared with the value described above. If these two values don’t match, it means that the SIM was changed, and the config value is changed accordingly (see figure 68).

Figure 68

The spyware verifies if the “/data/reinslock” file exists on the device, which indicates that the application was reinstalled:

Figure 69

As we’ve seen during the entire analysis, the threat actor didn’t make any efforts to hide the true purpose of the APK. Figure 70 reveals the message stating that Pegasus was successfully initialized:

Figure 70

This concludes our 3-part analysis of Pegasus for Android. We believe that some of the functionalities presented here are also used by recent malware families, and our analysis might represent the first step in detecting them.

4.8 6 votes
Article Rating
1 Comment
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
X Crater

Wonderful!