Pegasus: What it is and how it works

Pegasus is a highly advanced piece of mobile spyware created by the Israeli company NSO Group. It’s designed to infiltrate smartphones running Android or iOS and provide an operator with remote, covert control of the device. The following blog post focuses strictly on the technical mechanics: what Pegasus does, how it typically infects devices, its post-infection architecture, and the technical signs you can look for.

What Pegasus is

Pegasus is a modular implant (spyware) that, once installed, can access virtually all data and sensors on a phone. Typical capabilities include reading messages, extracting call logs and contacts, capturing photos and videos, recording ambient audio via the microphone, scraping app data, tracking GPS location, and taking screenshots. Pegasus is built as a set of lightweight, encrypted modules that are delivered and managed from remote command-and-control (C2) infrastructure.

Typical infection chain (step-by-step)

1. Targeting and reconnaissance
2. The operator chooses a target identifier (phone number, email, or other ID) and determines the target’s likely OS version and apps to select the most effective exploit vector.
3. Payload crafting
4. A tailored exploit payload is prepared. Payloads are often small bootstrap binaries or crafted messages that exploit a specific vulnerability in the OS or an app component (e.g., messaging parsers, media libraries).
5. Delivery vector

• Zero-click: The payload is delivered in a way that requires no user action (for example, a specially crafted message or media object that triggers a vulnerability when processed).
• One/Two-click: The user is enticed to open a link or attachment (spear-phishing), which then triggers the exploit.
• Delivery is targeted to the vulnerable component the reconnaissance identified.

1. Exploit execution
2. The malicious input triggers a vulnerability (often a memory corruption bug). This leads to execution of attacker code inside the context of the vulnerable process.
3. Sandbox escape and privilege escalation
4. The initial code typically runs in a restricted app sandbox. The implant chains further exploits to escape that sandbox and escalate privileges (often to kernel or system level) to gain broader control over the device.
5. Bootstrap and implant installation
6. A bootstrap implant writes additional modules to device storage and configures persistence mechanisms. These modules are typically encrypted and obfuscated to resist static analysis.
7. Persistence mechanisms
8. Persistence can be achieved via OS service/daemon installation, scheduled tasks, modified configuration files, or kernel hooks — depending on the level of privilege obtained.
9. C2 registration and beaconing
10. The implant periodically beacons out to command-and-control servers to register and receive instructions. Communications are encrypted and may use proxies, rotating domains, or other evasive techniques.
11. Module deployment and execution
12. Operators push modular capabilities — message harvesters, call log collectors, microphone/camera drivers, file exfiltration modules — loading only what is needed to reduce footprint.
13. Data staging and exfiltration
14. Collected data is staged in encrypted containers, compressed, and exfiltrated to remote servers in chunks over encrypted channels. Exfiltration patterns are often tuned to blend with normal traffic.
15. Stealth, anti-analysis, and cleanup
16. The implant hides artifacts (log wiping, ephemeral processes), detects analysis environments, and may self-erase or uninstall on command or if tampering is detected.

Architecture and components (high level)

• Bootstrap module: Minimal code that runs immediately after exploitation. Responsible for fetching larger components.
• Core implant: The main resident component that manages modules, persistence, and C2 communication.
• Functional modules: Separate payloads for specific tasks (SMS/IM harvesting, audio recording, file collection, location tracking, etc.).
• Encrypted storage: Local encrypted blobs where collected data is staged.
• Command-and-control (C2): Remote servers and infrastructure that issue commands, receive exfiltrated data, and push updates.

Indicators of compromise (technical IoCs)

• Outbound connections to unknown or suspicious IPs/domains from device processes that normally do not perform network I/O.
• Unexpected daemons, services, or processes running with elevated privileges.
• Repeated large uploads or network activity during periods of user inactivity.
• Strange or unexplained system crash logs, kernel panics, or sudden reboots following receipt of messages/media.
• Presence of unexpected encrypted blobs or files in app or system storage.
• Timestamped activity (file writes, uploads) that do not align with user actions.

Detection and forensic approaches (technical)

• Acquire a full device backup or forensic image (logical backup, sysdiagnostics, or a filesystem image where possible). Preserving volatile data and logs is important.
• Analyze system and app logs (crash reports, sysdiagnostics, console logs) for traces of exploitation and unusual process behavior.
• Network analysis: Capture and inspect outbound TLS connections, DNS queries, and traffic patterns. Look for encrypted upload bursts and connections to rotating domains or known suspicious endpoints.
• File system inspection: Search for unknown executable files, encrypted blobs, or modified configuration files.
• Use specialized tooling: Tools that scan backup files or logs for known Pegasus indicators (signatures, file names, artifact patterns) can expedite detection.
• Cross-correlate timestamps: Match delivery events (incoming messages, media) with spikes in CPU, disk writes, or network traffic.

Technical mitigations (practical)

• Keep OS and apps fully patched to reduce the window for known exploit chains.
• Limit unnecessary services and app permissions.
• Avoid jailbreaking or rooting devices, which increase the attack surface and ease persistence.
• Regularly collect and archive forensic logs and backups if advanced threat hunting is required.

Summary

Pegasus is a modular, exploit-driven mobile implant engineered for stealth, privilege escalation, modular payload delivery, encrypted command channels, and flexible data exfiltration. Its technical lifecycle generally follows: target reconnaissance → exploit delivery → privilege escalation → bootstrap/implant installation → C2 communication → modular data collection → encrypted exfiltration → optional cleanup. From a technical viewpoint, detection hinges on careful forensic acquisition, log and network analysis, and searching for specific indicators such as unusual connections, encrypted data blobs, and unexpected privileged processes.