{
	"id": "74fa04c9-8d68-4b4b-8a05-3dda38c97678",
	"created_at": "2026-04-06T00:06:30.589799Z",
	"updated_at": "2026-04-10T13:12:13.248215Z",
	"deleted_at": null,
	"sha1_hash": "9542644520f81e774fb6a9915c5eb907889ac69f",
	"title": "A technical analysis of Pegasus for Android – Part 3 – CYBER GEEKS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 6627831,
	"plain_text": "A technical analysis of Pegasus for Android – Part 3 – CYBER\r\nGEEKS\r\nPublished: 2022-10-31 · Archived: 2026-04-05 16:40:35 UTC\r\nSummary\r\nPegasus is a spyware developed by the NSO group that was repeatedly analyzed by Amnesty\r\nInternational and CitizenLab. In this article, we dissect the Android version that was initially analyzed by Lookout\r\nin this paper, and we recommend reading it along with this post. During our research about Pegasus for Android,\r\nwe’ve found out that vendors wrongly attributed some undocumented APK files to Pegasus, as highlighted by a\r\nresearcher here. We’ve splitted the analysis into 3 parts because of the code’s complexity and length. We’ve also\r\ntried to keep the sections name proposed by Lookout whenever it was possible so that anybody could follow the\r\ntwo approaches more easily. In this last part, we’re presenting the WAP Push messages that could be used to\r\nautoload content on the phone without user interaction, the C2 communication over the MQTT protocol, the\r\nexploitation of a vulnerability in MediaPlayer that was not disclosed before, and the ability of the spyware to track\r\nphone’s locations. You can consult the second part of the Pegasus analysis here.\r\nAnalyst: @GeeksCyber\r\nTechnical analysis\r\nSHA256: ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5\r\nPegasus initialization\r\nThe agent extracts the Android version, a string that uniquely identifies the build, and tries to retrieve a\r\nconfiguration value called “isItFirstRunEver” that indicates if this is the first run of the malware:\r\nFigure 1\r\nThe process verifies whether the “/data/data/com.network.android” directory exists on the device; otherwise, it is\r\ncreated. The existence of the directory means that this is not the first execution of the malware, and the\r\n“isItFirstRunEver” value is set to false using the putBoolean function:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 1 of 37\n\nFigure 2\r\nIt checks the existence of the malicious APK file on the phone and will use the superuser binary called\r\n“/system/csk” to run commands with root privileges:\r\nFigure 3\r\nA check for an antidote file called “/sdcard/MemosForNotes” is performed, and the spyware removes itself if this\r\nfile is found (see figure 4).\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 2 of 37\n\nFigure 4\r\nThe agent calls multiple functions that steal information from the targeted applications, as shown in the figure\r\nbelow.\r\nFigure 5\r\nA value called “screen_off_timeout”, which represents the number of milliseconds before the device goes to sleep\r\nor begins to dream after inactivity, is extracted by the process and is compared with 15 seconds. Other\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 3 of 37\n\nconfiguration values such as “wasPhoneWasUnmutedAfterTapNicly” [sic], “originalVibrateValue”, and\r\n“originalRingerValue” are also extracted from configuration:\r\nFigure 6\r\nWAP Push Messages\r\nThe process logs a message that indicates a change in the WAP settings:\r\nFigure 7\r\nIt retrieves the file permissions of “/data/data/com.android.mms/shared_prefs/com.android.mms_preferences.xml”\r\nand changes them using the chmod command:\r\nFigure 8\r\nFigure 9\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 4 of 37\n\nFigure 10\r\nThe LD_LIBRARY_PATH environment variable is modified, and the above file’s permissions are set to read \u0026\r\nwrite (0666):\r\nFigure 11\r\nThe agent changes the WAP settings to enable push messages, as highlighted in the figure below.\r\nFigure 12\r\nThe malware verifies if the Build.FINGERPRINT value contains “JPKJ2”, and it stops the Messages app:\r\nFigure 13\r\nThe superuser binary called “/system/csk” is expected to be found on the phone (see figure 14).\r\nFigure 14\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 5 of 37\n\nThe malicious process checks for the existence of the SMS/MMS database at\r\n“/data/data/com.android.providers.telephony/databases/mmssms.db”:\r\nFigure 15\r\nThe permissions of the “mmssms.db”, “mmssms.db-shm”, and “mmssms.db-wal” databases are changed to 0777\r\n(read, write, \u0026 execute for owner, group and others):\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 6 of 37\n\nFigure 16\r\nFigure 17\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 7 of 37\n\nFigure 18\r\nThe agent opens one of the above databases and runs the following SQL query via a function call to rawQuery:\r\nFigure 19\r\nThe index of the “href”, “_id”, “read”, “seen”, and “thread_id” columns is extracted:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 8 of 37\n\nFigure 20\r\nThe spyware tries to delete some WAP push messages that could be used to automatically open a link in a browser\r\non the phone without user interaction:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 9 of 37\n\nFigure 21\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 10 of 37\n\nFigure 22\r\nThe WAP messages are deleted by calling the SQLiteDatabase.delete method:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 11 of 37\n\nFigure 23\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 12 of 37\n\nFigure 24\r\nMessage Queue Telemetry Transport (MQTT)\r\nAnother way to communicate with the command and control infrastructure is using the MQTT protocol.\r\nThe “should_use_mqtt” configuration value establishes whether the agent is allowed to communicate with the C2\r\nservers via MQTT, as shown below:\r\nFigure 25\r\nAnother config value called “mqttAllowedConnectionType” indicates if the phone is allowed to communicate via\r\nMQTT while it’s connected to Wi-Fi (value = 1), mobile data (value = 4), or when the device is roaming (value =\r\n8):\r\nFigure 26\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 13 of 37\n\nThe malware retrieves connection status information about all network types via a function call to\r\ngetAllNetworkInfo and compares the type of the network with “WIFI” and “MOBILE”:\r\nFigure 27\r\nThe isNetworkRoaming function is utilized to verify whether the phone is roaming:\r\nFigure 28\r\nFigure 29\r\nThe application extracts the current date and ensures that the token id found in the configuration is not null:\r\nFigure 30\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 14 of 37\n\nThe following values are obtained from the configuration:\r\nmqttIdPref – identify a client in combination with the username\r\nmqttQos – quality of service for MQTT connections\r\nmqttHost – attacker’s MQTT host\r\nmqttPort – MQTT port number\r\nFigure 31\r\nThe “mqttUsername” config value represents the username used during the authentication with the MQTT server,\r\nand the “mqttPassword” value is the password used during the authentication process:\r\nFigure 32\r\nThe malware logs a message containing the MQTT URL, username, and password and then calls a function that\r\nwill start the communication:\r\nFigure 33\r\nThe MQTT broker URL is constructed by the malicious process:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 15 of 37\n\nFigure 34\r\nThe “mqttKaTimer” configuration value represents the MQTT keep alive timer (see figure 35).\r\nFigure 35\r\nFinally, the process makes network connections with the attacker’s infrastructure over MQTT and compares the\r\nbroker URL with “tcp://”, “ssl://”, and “local://”:\r\nFigure 36\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 16 of 37\n\nFigure 37\r\nThe maximum number of reconnection attempts is stored in a configuration value called “mqttRecCount”:\r\nFigure 38\r\nThe agent tries to subscribe to an MQTT topic specified in the configuration, as highlighted in figure 39.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 17 of 37\n\nFigure 39\r\nThe application logs multiple messages that indicate the successful connection and the subscription to the topic:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 18 of 37\n\nFigure 40\r\nThe NetworkInfo.isConnected method is used to verify whether there is an active internet connection on the\r\ndevice:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 19 of 37\n\nFigure 41\r\nThe binary receives the messages from within the topic on the broker that contain commands to be executed:\r\nFigure 42\r\nAll commands are added to a queue as we already described in part 2:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 20 of 37\n\nFigure 43\r\nThe parameter “s=” contains a checksum that will be checked against another computed value in order to confirm\r\nthat the command was transmitted by the threat actor:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 21 of 37\n\nFigure 44\r\nThe command transmitted via MQTT contains a token value that identifies the infected device, as displayed in the\r\nfigure below.\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 22 of 37\n\nFigure 45\r\nThe command will not be executed if the checksums don’t match:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 23 of 37\n\nFigure 46\r\nThe commands received via SMS that we already described here can be also transmitted using the MQTT\r\nprotocol:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 24 of 37\n\nFigure 47\r\nEmail attachments\r\nThe emailAttCmd command can be used to retrieve emails and attachments from the EmailProviderBody.db\r\ndatabase:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 25 of 37\n\nFigure 48\r\nFigure 49\r\nDownload files\r\nThe malware has the ability to download additional files/packages from a remote URL (see figure 50).\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 26 of 37\n\nFigure 50\r\nThe process opens a connection to a specific URL using the openConnection function and sets the read timeout to\r\n120s and the connect timeout to 1800s:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 27 of 37\n\nFigure 51\r\nThe response body is read by calling the URLConnection.getInputStream and BufferedInputStream.read\r\nfunctions:\r\nFigure 52\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 28 of 37\n\nA file is populated with the buffer downloaded from the remote URL via a call to FileOutputStream.write:\r\nFigure 53\r\nVulnerability exploitation in MediaPlayer\r\nTo the best of our knowledge, this is the first mention that Pegasus for Android exploited a vulnerability in\r\nMediaPlayer. Unfortunately, the file responsible for exploitation called\r\n“/data/data/com.network.android/output.mp3” is empty, and we couldn’t retrieve its content:\r\nFigure 54\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 29 of 37\n\nThe MP3 file is populated at runtime using the FileOutputStream.write function. The file’s permissions are set to\r\n511 by the malware:\r\nFigure 55\r\nFigure 56\r\nThe setDataSource method is utilized to set the data source for MediaPlayer. The application prepares and starts\r\nthe playback, which we believe would result in exploiting a vulnerability:\r\nFigure 57\r\nTrack phone’s location\r\nPegasus spyware has the ability to monitor the device’s location. It verifies if the GPS provider is active by calling\r\nthe isProviderEnabled function and then obtains location information using the requestLocationUpdates function:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 30 of 37\n\nFigure 58\r\nThe location is stored in an XMLSerializer object containing the latitude, the longitude, the altitude of the\r\nlocation, the estimated horizontal accuracy radius, and the speed at the time of the location:\r\nFigure 59\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 31 of 37\n\nFigure 60\r\nThe process retrieves the current location of the device via a call to getCellLocation and the numeric name\r\n(MCC+MNC) of the current registered operator using getNetworkOperator. The GSM cell id and the GSM\r\nlocation area code are also stored in the XMLSerializer object:\r\nFigure 61\r\nFigure 62\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 32 of 37\n\nFigure 63\r\nOther relevant activities\r\nThe agent compares the Android version with 2.3 and then the phone model with a list, as shown below:\r\nFigure 64\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 33 of 37\n\nFigure 65\r\nAs we already described in part 1, the malware has the capability to upgrade itself:\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 34 of 37\n\nFigure 66\r\nThe application obtains the serial number of the SIM and extracts the “local” configuration value:\r\nFigure 67\r\nThe “NetworkWindowSim” config value is extracted and compared with the value described above. If these two\r\nvalues don’t match, it means that the SIM was changed, and the config value is changed accordingly (see figure\r\n68).\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 35 of 37\n\nFigure 68\r\nThe spyware verifies if the “/data/reinslock” file exists on the device, which indicates that the application was\r\nreinstalled:\r\nFigure 69\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 36 of 37\n\nAs we’ve seen during the entire analysis, the threat actor didn’t make any efforts to hide the true purpose of the\r\nAPK. Figure 70 reveals the message stating that Pegasus was successfully initialized:\r\nFigure 70\r\nThis concludes our 3-part analysis of Pegasus for Android. We believe that some of the functionalities presented\r\nhere are also used by recent malware families, and our analysis might represent the first step in detecting them.\r\nSource: https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nhttps://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/\r\nPage 37 of 37\n\n  https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/ \nFigure 45   \nThe command will not be executed if the checksums don’t match:\n   Page 23 of 37",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://cybergeeks.tech/a-technical-analysis-of-pegasus-for-android-part-3/"
	],
	"report_names": [
		"a-technical-analysis-of-pegasus-for-android-part-3"
	],
	"threat_actors": [],
	"ts_created_at": 1775433990,
	"ts_updated_at": 1775826733,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9542644520f81e774fb6a9915c5eb907889ac69f.pdf",
		"text": "https://archive.orkl.eu/9542644520f81e774fb6a9915c5eb907889ac69f.txt",
		"img": "https://archive.orkl.eu/9542644520f81e774fb6a9915c5eb907889ac69f.jpg"
	}
}