In August 2016, Apple pushed an emergency iOS update to patch zero-day vulnerabilities, dubbed Trident. The zero-days include CVE-2016-4655, a memory corruption vulnerability, CVE-2016-4656, a kernel base mapping vulnerability, and CVE-2016-4657, a kernel memory corruption vulnerability that leads to jailbreaking the device. Israeli software company, NSO Group, sold the vulnerabilities and the spyware used to exploit them, called “Pegasus.” Pegasus is an advanced malware that uses code obfuscation, encryption, and bypasses application-layer security in many popular voice and audio calls and apps, such as email, Facebook, WhatsApp, Facetime, and Telegram. The malware can steal the victim’s contact list, GPS location, and any personal WiFi and router passwords stored on the iOS device. The NSO Group sold the spyware to governments and third parties that then used Pegasus to remotely spy on high-value targets, such as human rights activists and journalists. The iOS spyware was first revealed by a human rights activist in the United Arab Emirates when he contacted Citizen Lab after noticing a strange text message sent to his iPhone from an unrecognized number. The specially crafted text message contained a suspicious link. The activist did not click the link, and instead forwarded the text message to Citizen Lab. Citizen Lab researchers analyzed the link and determined it was part of a network of exploit infrastructure domains used by the NSO Group. 


  • August 2016: A Hacking Group is Selling iPhone Spyware to Governments. (Wired)

  • March 2017: Google and Lookout researchers published a report on the activities of a new Android malware family, Chrysaor, believed to be the counterpart to the Pegasus iOS spyware. (Google)

  • July 2019: The creator of Pegasus has been observed advertising an upgraded version of the malware affecting both iOS and Android devices. These advancements allow the malware to copy authentication keys and access services such as Google Drive and iCloud via scraped data from servers of Apple, Google, Amazon, Facebook, and Microsoft. (Cyware)

Technical Details

  • Lookout provides a technical analysis of the Pegasus malware, available here.

Via Lookout

Via Lookout

iOS MalwareNJCCICPegasus