Self-destructing Pegasus for Android is an smartphone-targeting spying superbug

Research on one of the most sophisticated espionage/spying apps for Android devices has been released by Google and mobile security provider Lookout.

Pegasus for Android is a replica version of the Pegasus for iOS app that was capable of not just recording every action on a mobile phone but also self-destruct when it 'felt' it had been compromised. Discovered back in October, Apple were forced to act swiftly when the full scope of the three high-severity iOS vulnerabilities came into focus. They could be used by hackers, usually State agents to infect iPhones so confidential messages and texts could be stolen from the likes of Gmail, Facebook, and WhatsApp.

According to the research on the Android version, Pegasus is similarly kitted out in its Android avatar too and is capable of:
Keylogging
Screenshot capture
Live audio capture
Remote control of the malware via SMS
Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
Browser history exfiltration
Email exfiltration from Android’s Native Email client
Contacts and text message

YOU MAY ALSO LIKE:

Dissidents lookout!

The watershed moment came, when last year, a political dissident in the UAE raised raised questions about being spied upon. It was then that Lookout started looking into Pegasus which was developed by an Israel-based NSO Group which claims to only sell its surveillance products to governments.

That is when several cases of Pegasus being used to rattle dissidents. activists and Government critics were discovered. The most high-profile being that of Mexican officials who were critics of the country's soda laws.  Following the report published August 2016 by Lookout and Citizen Lab, the severity to iOS devices was discovered, prompting Apple taking evasive measures.

On their blog, Lookout say: 'In the course of researching the iOS threat, Lookout researchers mined our comprehensive  dataset and located signals of anomalous Android applications. After looking into these signals, we determined that an Android version of Pegasus was running on phones in Israel, Georgia, Mexico, Turkey, the UAE, and others.'

Pegasus for Android self-destructs if the software feels its position is at risk and will remove itself from the phone if:

The SIM MCC ID is invalid
An “antidote” file exists
It has not been able to check in with the servers after 60 days
It receives a command from the server to remove itself

Difference between Pegasus for Android and Pegasus for iOS

While the iOS version uses zero-day vulnerabilities to root the device, on Android, it uses Framaroot- a popular rooting technique.  Owing to the way Android works, the attackers are able to repeatedly ask for access permission to get to the data, making it easier to hack.

Google have now looked at the findings and sent potential targets remedial measures they could take. Users who think they may have been in contact with Pegasus for Android or iOS can contact Lookout at threatintel@lookout.com.