Pegasus¶
Pegasus is the most well-documented mobile surveillance tool ever deployed. Developed by Israel's NSO Group, it provides operators with complete device compromise through zero-click exploit chains that require no interaction from the target. Sold exclusively to government clients under the label of "lawful intercept," Pegasus has been found on the devices of journalists, human rights defenders, opposition politicians, and heads of state across dozens of countries. Its Android variant, internally called Chrysaor by Google, mirrors most iOS capabilities while adapting to the Android security model.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | August 2016 (public discovery) |
| Status | Active, continuously updated |
| Type | Commercial spyware (government-exclusive) |
| Attribution | NSO Group Technologies (Herzliya, Israel) |
| Aliases | Chrysaor (Google/Android), Trident (iOS exploit chain, 2016), Q Suite (marketing name) |
| Platforms | iOS, Android |
Origin and Lineage¶
NSO Group was founded in 2010 by Niv Carmi, Shalev Hulio, and Omri Lavie, all with backgrounds in Israeli intelligence. The company operates under the claim that it sells only to vetted government agencies for counter-terrorism and law enforcement. Pegasus is the flagship product, though NSO also markets other tools under different names.
The first public evidence of Pegasus emerged in August 2016 when UAE human rights defender Ahmed Mansoor received SMS messages containing exploit links. Rather than clicking, Mansoor forwarded them to Citizen Lab researchers, who published "The Million Dollar Dissident" in collaboration with Lookout Security. The analysis revealed a chain of three iOS zero-days (dubbed Trident) capable of remotely jailbreaking a stock iPhone 6.
Lookout subsequently published a technical analysis of the Android variant in April 2017, designating it Chrysaor. The Android version does not rely on zero-days for rooting: it uses the Framaroot technique, a well-known set of Android root exploits. If rooting fails, it requests accessibility permissions to achieve data exfiltration through above-board APIs.
Distribution¶
Pegasus delivery has evolved significantly over its lifetime, moving from one-click social engineering to fully remote zero-click exploitation.
| Era | Delivery Method | Exploit Chain |
|---|---|---|
| 2016 | SMS with exploit link | Trident: CVE-2016-4655 (KASLR bypass), CVE-2016-4656 (kernel exploit), CVE-2016-4657 (WebKit RCE) |
| 2017-2018 | Spear-phishing links via SMS, WhatsApp | Various browser and kernel chains |
| 2019 | WhatsApp zero-day voice call | CVE-2019-3568: buffer overflow in WhatsApp VOIP stack, no answer required |
| 2020 | Zero-click iMessage | KISMET: exploited iMessage on iOS 13.5.1-13.7, discovered targeting Al Jazeera journalists |
| 2021 | Zero-click iMessage | FORCEDENTRY: CVE-2021-30860, JBIG2 integer overflow in CoreGraphics PDF parser, bypassed BlastDoor sandbox |
| 2022 | Zero-click iMessage | Three new chains exploiting iOS 15 and iOS 16, including PWNYOURHOME and FINDMYPWN |
On Android, delivery typically involves a one-click link that downloads the implant APK. The operator sends a crafted SMS or message through any app. When the target taps the link, the browser redirects through an exploit server that either exploits a browser vulnerability or simply serves the APK with social engineering to encourage installation.
For ISP-level deployment (documented in several countries), operators with access to network infrastructure can inject redirects into unencrypted HTTP traffic, pushing the malicious download without the need for phishing messages.
Capabilities¶
Once installed, Pegasus provides total device access. The implant operates as a persistent rootkit with the following capabilities:
Data Collection¶
| Category | Details |
|---|---|
| Messages | SMS, MMS, iMessage, email (before and after encryption in E2E apps) |
| Messaging apps | WhatsApp, Telegram, Signal, Facebook Messenger, Viber, Skype (reads from local databases) |
| Calls | Live call recording and call log extraction |
| Camera | Silent activation of front and rear cameras |
| Microphone | Ambient audio recording, room tap functionality |
| Location | GPS, cell tower, Wi-Fi-based positioning with historical tracking |
| Passwords | Keychain/keystore extraction, stored Wi-Fi credentials |
| Contacts | Full address book exfiltration |
| Calendar | Calendar events and meeting details |
| Files | Browse and exfiltrate arbitrary files from device storage |
| Browser | History, bookmarks, saved passwords |
Android-Specific Behavior (Chrysaor)¶
The Android implant documented by Lookout and Cyber Geeks uses a layered approach:
| Component | Function |
|---|---|
| Framaroot exploits | Root the device using known kernel exploits (named after Lord of the Rings characters) |
| Fallback mode | If root fails, request accessibility and usage access permissions to exfiltrate data through Android APIs |
| Self-destruct | Remove itself if it detects it cannot operate covertly, if it has not contacted C2 within 60 days, or if it detects analysis |
| Screenshot capture | Framebuffer reading (rooted) or MediaProjection (non-rooted) |
| Live audio | Record calls and ambient audio via native audio APIs |
Technical Details¶
C2 Infrastructure¶
Pegasus uses an anonymizing relay network for command and control. Citizen Lab mapped C2 infrastructure across 45 countries by fingerprinting the distinctive TLS certificates and HTTP responses of Pegasus installation servers. The C2 architecture routes through multiple proxy layers, making attribution to the operating government technically difficult but not impossible through DNS and infrastructure analysis.
Exfiltrated data is transmitted over HTTPS, encrypted with unique per-device keys. The implant polls C2 for tasking commands and uploads collected data on a schedule or on-demand.
Persistence¶
On rooted Android devices, Pegasus installs itself in system partitions and survives factory resets. On non-rooted devices, it leverages device administrator privileges and accessibility services to maintain presence, reinstalling itself if the user attempts removal.
FORCEDENTRY: The Benchmark Exploit¶
Google Project Zero published a detailed technical analysis of FORCEDENTRY, calling it "one of the most technically sophisticated exploits we've ever seen." The exploit chain:
- Sends a PDF file disguised as a GIF through iMessage
- Triggers an integer overflow in the JBIG2 decoder within Apple's CoreGraphics
- Constructs a small CPU architecture from JBIG2 logical operations, building a Turing-complete virtual machine from a decompression codec
- Escapes the BlastDoor iMessage sandbox introduced in iOS 14
- Achieves kernel code execution and installs the Pegasus implant
This demonstrated a level of exploit engineering previously assumed to be exclusive to top-tier nation-state programs.
Known Deployments and Targets¶
Citizen Lab identified suspected Pegasus operators in 45 countries as of 2018. The Pegasus Project investigation in 2021, coordinated by Forbidden Stories with technical support from Amnesty International's Security Lab, revealed a leaked list of over 50,000 phone numbers selected as potential targets by NSO clients.
| Country/Client | Known Targets |
|---|---|
| United Arab Emirates | Ahmed Mansoor (human rights defender), journalists, activists |
| Saudi Arabia | Associates of Jamal Khashoggi (before his assassination), women's rights activists, Al Jazeera journalists |
| Mexico | Journalists investigating cartel corruption, lawyers, anti-corruption activists, scientists advocating sugar tax |
| Morocco | French journalists, Moroccan activists, French politicians including Emmanuel Macron's phone number on the list |
| India | Journalists, opposition politicians, lawyers, activists |
| Hungary | Investigative journalists, media owners |
| Poland | Opposition politicians, prosecutors |
| Bahrain | Activists, documented by Citizen Lab |
| Rwanda | Journalists, opposition figures |
| El Salvador | Journalists from El Faro |
Notable Campaigns and Discoveries¶
August 2016: Citizen Lab and Lookout publish "The Million Dollar Dissident", revealing the Trident exploit chain used against Ahmed Mansoor. Apple patches the three iOS zero-days within ten days. This is the first public documentation of Pegasus.
April 2017: Lookout publishes the Chrysaor (Pegasus for Android) technical analysis, documenting the Framaroot-based rooting approach and the fallback non-root exfiltration mode.
September 2018: Citizen Lab publishes "Hide and Seek", mapping suspected Pegasus operators in 45 countries through Internet scanning of C2 infrastructure.
May 2019: WhatsApp discloses CVE-2019-3568, a buffer overflow in the VOIP call stack exploited by NSO to install Pegasus. No user interaction required: the exploit triggered via a missed call. WhatsApp (Meta) subsequently files a federal lawsuit against NSO Group.
October 2019: Google Project Zero's analysis of CVE-2019-2215 (Bad Binder), a use-after-free in Android's Binder IPC, was linked to NSO Group's Pegasus delivery on Android devices including Pixel, Samsung, Huawei, and Xiaomi.
December 2020: Citizen Lab reveals the KISMET exploit, a zero-click iMessage chain used to compromise phones of 36 Al Jazeera journalists. The exploit targeted iOS 13.5.1 through 13.7 and stopped working against iOS 14's BlastDoor mitigation.
July 2021: The Pegasus Project publishes across 17 media organizations in 10 countries. Amnesty International's Security Lab releases the forensic methodology report and the Mobile Verification Toolkit (MVT), an open-source tool for checking devices for Pegasus indicators. Citizen Lab peer-reviews and validates Amnesty's methodology.
September 2021: Citizen Lab captures the FORCEDENTRY exploit in the wild on a Saudi activist's phone. Apple patches CVE-2021-30860 and credits Citizen Lab. This is the first time a zero-click exploit for iMessage is captured as a complete artifact.
December 2021: Google Project Zero publishes their deep dive into FORCEDENTRY, describing the JBIG2-based virtual machine as an unprecedented exploitation technique.
November 2021: The U.S. Commerce Department adds NSO Group to the Entity List, restricting exports of U.S. technology to the company.
April 2023: Citizen Lab documents three new zero-click exploit chains used in 2022 against civil society targets in Mexico, including PWNYOURHOME (targeting HomeKit and iMessage on iOS 15 and 16) and FINDMYPWN (targeting Find My and iMessage on iOS 15).
October 2019 - present: Citizen Lab continues documenting new abuse cases, with over 100 identified across multiple countries.