{
	"id": "0a6b84d4-b1a0-462c-a54e-9f1a5b6f001f",
	"created_at": "2026-04-06T00:18:51.880114Z",
	"updated_at": "2026-04-10T03:20:21.244876Z",
	"deleted_at": null,
	"sha1_hash": "fd8d5a83617bc7dd9d4cf01ad788288e3e30421c",
	"title": "Pegasus for Android: The Other Side of the Story Emerges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48920,
	"plain_text": "Pegasus for Android: The Other Side of the Story Emerges\r\nBy Lookout\r\nPublished: 2017-04-03 · Archived: 2026-04-05 15:57:22 UTC\r\nToday, Lookout and Google are releasing research into the Android version of one of the most sophisticated and\r\ntargeted mobile attacks we’ve seen in the wild: Pegasus.\r\nRead the full technical analysis here\r\nA “cyber arms dealer” named NSO Group developed the Pegasus malware, which jailbreaks or roots target\r\ndevices to surveil specific targets. Last summer, after being tipped off by a political dissident in the UAE, Citizen\r\nLab brought Lookout in to further investigate Pegasus. In August 2016, Lookout, with Citizen Lab, published\r\nresearch about the discovery of the iOS version of this threat. What we discovered was a serious mobile spyware\r\noperation that has since been reportedly used to target Mexican activists, according to The New York Times.\r\nGoogle calls this threat Chrysaor, the brother of Pegasus. For simplicity, we’ll reference this as Pegasus for\r\nAndroid. Names aside, the threat is clear: NSO Group has sophisticated mobile spyware capabilities across a\r\nnumber of operating systems that are actively being used to target individuals.\r\nLookout enterprise and personal customers are protected from this threat.\r\nFinding the threat\r\nIn the course of researching the iOS threat, Lookout researchers mined our comprehensive  dataset and located\r\nsignals of anomalous Android applications. We have sophisticated  and valuable insight into what is happening in\r\nthe mobile ecosystem at any given point in time. Without the Lookout Security Cloud, Pegasus for Android most\r\nlikely would not have been found.\r\nAfter looking into these signals, we determined that an Android version of Pegasus was running on phones in\r\nIsrael, Georgia, Mexico, Turkey, the UAE, and others.\r\nWhat it does\r\nThe Android version performs similar spying functionality as Pegasus for iOS, including:\r\nKeylogging\r\nScreenshot capture\r\nLive audio capture\r\nRemote control of the malware via SMS\r\nhttps://blog.lookout.com/blog/2017/04/03/pegasus-android/\r\nPage 1 of 3\n\nMessaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter,\r\nViber, Kakao\r\nBrowser history exfiltration\r\nEmail exfiltration from Android’s Native Email client\r\nContacts and text message\r\nIt self-destructs if the software feels its position is at risk. Pegasus for Android will remove itself from the phone if:\r\nThe SIM MCC ID is invalid\r\nAn “antidote” file exists\r\nIt has not been able to check in with the servers after 60 days\r\nIt receives a command from the server to remove itself\r\nIt’s clear that this malware was built to be stealthy, targeted, and is very sophisticated.\r\nHow it’s different from the iOS version\r\nThe biggest distinction between the iOS and Android versions of Pegasus is the Android version does not use\r\nzero-day vulnerabilities to root the device.\r\nIn the course of researching the Pegasus for iOS, Lookout discovered three vulnerabilities Pegasus used to\r\njailbreak the target device, and install and run the malicious software. We called these three “Trident.”\r\nPegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware.\r\nInstead, the threat uses an otherwise well-known rooting technique called Framaroot. In the case of Pegasus for\r\niOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the\r\nAndroid version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for\r\npermissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial\r\nattempt to root the device fails.\r\nThis means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first\r\nattempt to hijack the device fails.\r\nContacting the target\r\nLookout alerted Google to the presence of the malware and worked with the Google Security team to understand\r\nthe overall threat. Google has since sent a notification to potential targets with information about remediating the\r\nthreat.\r\nAnyone who believes they may have come into contact with Pegasus for Android or iOS should contact Lookout\r\nSupport.\r\nhttps://blog.lookout.com/blog/2017/04/03/pegasus-android/\r\nPage 2 of 3\n\nWe have provided our full, technical research in a report Pegasus for Android:Technical Analysis and Findings of\r\nChrysaor. If you are interested in the detailed story behind how we found Pegasus for Android and exactly what it\r\ndoes, read the full report here.\r\nSource: https://blog.lookout.com/blog/2017/04/03/pegasus-android/\r\nhttps://blog.lookout.com/blog/2017/04/03/pegasus-android/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
	],
	"report_names": [
		"pegasus-android"
	],
	"threat_actors": [],
	"ts_created_at": 1775434731,
	"ts_updated_at": 1775791221,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fd8d5a83617bc7dd9d4cf01ad788288e3e30421c.pdf",
		"text": "https://archive.orkl.eu/fd8d5a83617bc7dd9d4cf01ad788288e3e30421c.txt",
		"img": "https://archive.orkl.eu/fd8d5a83617bc7dd9d4cf01ad788288e3e30421c.jpg"
	}
}