Found: Quite possibly the most sophisticated Android espionage app ever

Researchers have uncovered one of the most advanced espionage apps ever written for the Android mobile operating system. They found the app after it had infected a few dozen handsets.

Pegasus for Android is the companion app to Pegasus for iOS, a full-featured espionage platform that was discovered in August infecting the iPhone of a political dissident located in the United Arab Emirates. Researchers from Google and the mobile-security firm Lookout found the Android version in the months following, as they scoured the Internet. Google said an Android security feature known as Verify Apps indicated the newly discovered version of Pegasus had been installed on fewer than three-dozen devices.

"Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups," Lookout researchers wrote in a technical analysis published Monday. "These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world."

Like its iOS counterpart, Pegasus for Android offers a wide array of spying functions, including:

• Keylogging
• Screenshot capture
• Live audio and video capture
• Remote control of the malware via SMS
• Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao
• Browser history exfiltration
• E-mail exfiltration from Android’s Native E-mail client
• Contacts and text message exfiltration

This app will self-destruct

Pegasus for Android also has the ability to self-destruct when it's at risk of being discovered or compromised. The self-destruct mechanism can be triggered in several different ways: if the mobile country code associated with the SIM card is invalid; if an "antidote" file exists in the /sdcard/MemosForNotes folder; if the app has been unable to connect to an attacker-controlled server for 60 days; or if the app receives a command from the server to remove itself.

"It's clear that this malware was built to be stealthy, targeted, and is very sophisticated," Lookout researchers wrote in a blog post.

The iOS version of Pegasus took hold of targeted devices by exploiting a trio of critical security vulnerabilities that were unknown to Apple and most other security researchers. All that was required for an iPhone to be infected was that it open a booby-trapped website. (Apple patched the vulnerabilities at the same time that researchers from Citizen Lab and Lookout announced their discovery.) In the event the attempted iOS jailbreak was unsuccessful, Pegasus would abort all attempts to infect the iPhone.

Pegasus for Android, by contrast, doesn't rely on zero-day security bugs to root targeted devices so they can be infected. Instead, it uses a well-known rooting technique called Framaroot in an attempt to override security safeguards built into the Android OS. And in the event the rooting doesn't work, the espionage app seeks permissions required to exfiltrate data. As a result, Pegasus for Android is easier to deploy and has additional opportunities to take hold if the first attempt fails.

The app was never located in Google Play, Google said in its own blog post published Monday. Verify Apps showed Israel as the country hosting the largest number of targeted phones followed by Georgia, Mexico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, the United Arab Emirates, Ukraine, and Uzbekistan.

Both the Lookout and Google blog posts attributed Pegasus for Android to NSO Group, an Israel-based seller of computer exploits that was also credited with creating Pegasus for iOS. So-called lawful intercept software is ostensibly sold to legitimate law enforcement agencies so they can investigate and prosecute crimes. In practice, the tools are routinely used against citizens of Russia, Iran, and many other countries with repressive governments.

Given how narrowly targeted the Pegasus attacks were, the chances are extremely small that they infected readers of this post. The previously mentioned technical analysis will allow more technically knowledgeable people to know if a given phone has been compromised. Lookout is asking anyone with evidence they came into contact with Pegasus for Android or iOS to contact researchers at threatintel@lookout.com.

Listing image by Employees of MGM