platform in order to expand the industry’s knowledge and ability to protect against this type of
threat globally.
Background
In August 2016, Lookout published a technical analysis of Pegasus for iOS, a sophisticated,
targeted lawful-intercept attack that was actively targeting a number of mobile users globally.
We published our findings in the Technical Analysis of Pegasus Spyware report upon the
release of Apple’s iOS 9.3.5 patch. The patch closed the attack vector — Trident, an exploit of
three related zero-day vulnerabilities in iOS — which Pegasus used to exploit the target device.
Lookout protected its customers against Pegasus for iOS at that point.
Pegasus is highly advanced in its stealth, its use of exploits, its code obfuscation, and its
encryption. It has a broad surveillanceware feature set that takes advantage of functionality
available on mobile, such as:
● Always-on communications over Wi-Fi, 3G, or 4G
● Phone
● Messaging and email apps such as WhatsApp, Facebook, and Viber
● Camera
● Contact list
● Keystroke logging.
The original report shed light on the presence of advanced “lawful intercept” technologies.
Lookout, along with Citizen Lab, established that the Pegasus surveillanceware software
product is developed by NSO Group. According to news reports, NSO Group sells weaponized
software that targets mobile phones to governments. News reports indicate that the Pegasus
spyware is sold for use on high-value targets for multiple purposes, including sophisticated
espionage on iOS, Blackberry, and Android.
Our research into Pegasus for Android began in late 2016, at which point we shared the initial
findings and began our collaboration with Google. Our team set out to discover and ultimately
enable detection of the Android version of NSO’s Pegasus software.
Threat Hunting and Joint Investigation
Immediately upon discovery of the iOS version of Pegasus, Lookout’s team of intelligence
analysts and data scientists began hunting down Pegasus for Android via a combination of
automated and manual analysis of the telemetry from the Lookout Security Cloud. Using
anomalies identified from our large anonymized corpus of data, we were able to focus on a
number of unique indicators of compromise (IOCs) that acted as signals to flag specific outliers
within our sensor network. Combining several layers of signal intelligence, including detections
of Pegasus for iOS, allowed the team to identify these indicators for deeper analysis.
3