Zimperium Blog

Understanding – “Pegasus” a Targeted Attack Remotely Infecting iOS Devices


Pegasus is a sophisticated trojan targeting the iOS platform. It provides an attacker abilities to remotely monitor and capture communication from a device (including calls, texts, Whatsapp, Viber, etc). A successful attack transforms a device running iOS into a powerful surveillance tool. This is a persistent attack and enables an attacker to remotely update and control the device to provide additional functionality as required.

This chained attack was developed by a professional organization, leveraging three zero-day vulnerabilities in the iOS platform, unpatched until the latest release (iOS 9.3.5):

  • CVE-2016-4657 WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site
  • CVE-2016-4655 – Infoleak of kernel address space.
  • CVE-2016-4656 – Kernel privileges escalation. Allows the attacker to run elevated code with Kernel privileges.

CVE-2016-4657 is used for initial remote code execution on the victim’s device. In some scenarios, man-in-the-middle (MITM) or WAP Push Message, the attack could be triggered without user-interaction. This attack can also manifest itself as a link or embedded in a website. Once initial code execution is achieved, the attackers use an infoleak vulnerability and finally a kernel exploit.

To ensure persistence, Pegasus replaces the “rtbuddyd” daemon with another signed binary, JSC, to run the html code leveraging the vulnerabilities above after the device is restarted.

This attack vector is particularly high risk since the initial attack vector to compromise the device can be delivered remotely, by a user simply clicking on a link – in the initial case this link was delivered via SMS. After the initial exploit has been delivered, the attacker is able to install the additional monitoring and control software without detection from the user.

How can Zimperium help?

The Zimperium zIPS solution leverages the z9 engine: a purpose built, machine learning engine to detect exploitation of a device’s operating system, networks the device is connected to, and the apps installed on the device.

Based on detailed, technical analysis of this attack, Zimperium is confident that the zIPS solution is able to detect exploitation of the device without modification or updates to our product using our unique exploit detection capabilities delivered by the z9 engine. This attack would be detected as a critical “System Tampering” event in zIPS and zConsole.

Further information will be provided as more comprehensive analysis of the attack is performed.