背景介绍

NSO Group Technologies (NSO standing for Niv, Shalev and Omri, the names of the company's founders) is an Israeli technology firm whose spyware called Pegasus enables the remote surveillance of smartphones. It was founded in 2010 by Niv Carmi, Omri Lavie, and Shalev Hulio. It employed almost 500 people as of 2017, and is based in Herzliya, near Tel Aviv, Israel.

样本来源:https://bazaar.abuse.ch/sample/bd8cda80aaee3e4a17e9967a1c062ac5c8e4aefd7eaa3362f54044c2c94db52a/

SHA256: bd8cda80aaee3e4a17e9967a1c062ac5c8e4aefd7eaa3362f54044c2c94db52a

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/39a0a67a-8fe9-4be5-97e1-16b10050ca12/Untitled.png

apk已经经过混淆,没关系,这次主要关心Native的功能。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/224745fc-80be-4535-91cd-9270d881140a/Untitled.png

data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAQQAAADtCAYAAABZNAv0AAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAAEnQAABJ0Ad5mH3gAABY4SURBVHhe7Z2/yzQ7Fcef/8JSvCKIYqG1heXTWQlesBCsBS88Ilq9XEtLC4UXLldBQQRblVu87y1EbAQrC4u3srSwtFonP04mOTmZOZnd7CaT7wcCu9kzM5nZnG9OZndOni4AAOBpIgivXr3yrwAAI4EIAQAQgCA04+3l5enp8vz6nX/fkHevL8/LsZ6eXpajarlj+8AwYMrQDAjCuZjjeg0ZIXzw9c/4Vz3TeweCINQBQTjMqxtFCG8+/Orl0598JSs//9ZnxXpj3w8QhHMBQVBhnF9bavn0R1++/OvNR5d//+1Xofz99z+7fPSDb4v1xl5NCLPX8sLi7Xevny9Pz68v73xnCLbc0PLu8vo5svEl6UD2mM8XU2X3HexcXQo75lKyw/JzsG0toWhfFbx9+Tm4c+TTGL9ddDKl68zbprVzaK/f9veR1uflbAJxE0HQoLWLaScIS2dhzuO++LRTx50hdKa3L+l7g3fMtHO4DpnUxQ4cduAdNW6PsD9qS9apPW9f2D5itO1T450taUzpmioFwdQtZb0srs3xIbR2VLd7/byd3ee6w/z7sFxzvcaha0F488MvWWf/338/ufznH7+15Z9/+oUVBKqnz0y9sT9O/oXLTpjbyc4odCDqgOkO/XHIcXyHZDaGLaev/+yKDi45oUB6XoQ7riQIfH+83Tq7iuun+j6IK67XQDQRBPOlcSS7PT75wAkCiYF1/D//MggCrzf2x8m/cF2HLnUUoV7jSN5G7Hg2OpGmF+Yj1tkDFe1T46/BzrnUCQK3y+tVdjXXTylsjmuu1zh0LQh//P4X7VTAjP7G4U3568cfXn78zW+s9f4zU2/stbhO5Dp1XOIvXO6AvEOXOopQXyEIok03gmDg9yTydumuX8kur1fZ1Vw/CELGTQUhdqy4GIxdbEuv4zrC/Kxoivk1wUQDcTFiQIV/Zuxp2y1cB+IdIf/C5Q7IO3Spowj1FYIgdTzXnl4EIcZfE3ZuuutXssvPSWVXc/0gCBldRghtBUF/00jXoeU5q9uWdSBVB7z1PYSK9hG+nZLzlVFeP9p31B75Ouft1tlVXL8qQSjv90x0KQjEH773BfHXBCMGUr2x12A7hjBScAeRO2BphFv3Z98/v1xelg5ULwgL/peMvC1ydGDYEgt1+zzO3l0Psa1L+/h2Yvv4+UbXec/R3XeU1mnt1NevShDoWOXv4Ax0LQi/++7nrbNrf2Uw9jq82lPntF+yq8s70b4gGFxn8cV+lu+vqgP6Tr0W3g5qX2yzFu6wqvYRwXHzYxL5sWVHSe3M/vKRVjwPQdy0dhbF9aPzVH0fFt5vCtdvYJoIgoTWLuY333nPOj6JgXX8jV8ZjD0YD+foZfEhtHbgODcRBG2p5dfvvyf+ymAEQfqVwdiD8YAg9MPVgtASCMIcQBD6oYkgHIkGJP7y069dPn7/c1kxvyZI9cYejAcEoR+6jhBK7P3PAABwjK4jBADAfRkyQgAAtAGCAAAIYMoAAAggQgAABBAhAAACiBCGIX+a8Cju9/yn7HmMW4P/DYwHBGEYIAigPUNOGbr9Y5LmCbvD3E4Q7gUEYTy6jhDGWZeBHovljwAvTlx6PLcaCAJoz9WCYKIBbaml6boM3sHW0byU+II/A5/bUQh+2wg8f/belFgQZIfz57WXb2ApibjY3ADm3NbrYnYRts2ETXtdTPtSWy5q1s7un30njac0IOcmgqDhiCC0S8OeO408mpeda63ynf1mkcCCT9yROo5ryxFByMn35Y75fHl+No4dObDZT5ZIRHNd1rqk3k+rjtiB9swpCMpMObLDeWehjf2+th2wDpvdqCBObQVh3S5JF8aul+q6LJCjp00pnce+HWhP14LQbl0G7zRZJ4zJOziROKx3ltt13JIjlBzptoJAm0nn6D5TXpcFbfuOnwe4NV0LQst1GULHNp3OFj4H9h2yWHwHZiPr9QjOasnrHyMIyuuyAEEYj5sKgtxB3CGMXWxLr+M6glKpt0nDLrF28rX/lUfCFL9tFuIfxe2vX0HQXhd9+yAI/dB1hNAqDbtM7iQ8BC5h7YS77EUoqsicwCA7nHMahSDQvjcd6RpB0F8XCMJ4zCkIb+vWFdjvlL7zStMOwXHIudOIZIW3xb7XrPNA7TVls83XCUI4zuYxjJnO0bV2oD1dC0K7dRmoEy4dLpTSCE/OnhYuKAYXKcSFd3JPcNzC5wvJvqxTuMhBFjKyNfvThPRXCoJl/7pAEMaja0HAugyN8A4uiRqYm5sIgrbUgjTsjcCffkCBqwWhJUjDfguWKcRLfB/Dh+KKm4JgPiAIMxDuWfiC0AAU6FoQSnT7+DMAgzOkIAAA2gBBAAAEIAgAgAAEAQAQGFIQjvynAQCwDyIEAEAAggD8swSP+n+C8FwFeBiYMgjM9j8HCAIgECEIXCsI+VOPplTkS5gKCEJPTBshmDUcWq374AQhfZzX1UEUciAIPdG9IBjn15YazBoOfN0H8wSlKeZpSikBi3bdB0kQyo8c+/wFu5GEfyhp147vz5X4uGkOBdmGnoiUHNVtz4+vPY/99oHHMYQgaNDaESZlO0/zTo9TxwlYQr6FpV6b5n1LENJpunfyqJKcdc/O1vEnFkXR0YzAko133OypyEJbWJ14HofbB+7FkIJgOhpHstvCpGznad4p50IpAYs2zXsuCLJzOafhmYK8bexJopjk2OMWHLheEKh9bKQvLrSyfx7H2wfuBQShmSDwUgixBS/PHcePwEspi0LJsY4LglSft017Hte0D9yLaQXBrOHA130wWZeydR+8SNSs++AEgY2Y2ZzcOcIqGLwURtzwOReYaxyubLPv1NrzuKZ94F4MIwhyZ1ubT3YGeh3XxZifFc0vCaaYaIAKrfdAJf7MFGOv+UlSFISF1LnKI+s+qxOum1/jcBs2Vsi8+NjX+1MDmWvaB+7FtBGCSdnO07zTrwxGDK5J864ThPx9HdyRZMekm3uHBSHar22v4Pi687imfeBeTCsIJmU7T/O+9yuDNs27KAjCzTi6Wbg7ui7bcoeRbvjxOnK26wQh3Y/YVOV5iO2T1psAD2NIQZDoTxB4ySMGh3NGbi8LQGzD7yE4kmPbUVsTku/ZUBtL52DQnUfSPisgLnKAIPTBtIJg1nDg6z7QDUQSBKqnz8Zc90EhCOL/A2I0ogLOwBCCoC01mDUc+LoP9CuDEQTpV4Yx131QOLM0nYlw0clWdADOQveC0AqTsn2ONO9cEJYQvWadBi8WiA7mYEhBqI0GajnX489ChEA3AakIocHujURwSqaNELaYLR8CAAQiBABAABECACAAQQAABDBlAAAEECEAAAKIEAAAAUQIAIAABEGgz/8h4HkC0J5ppwwt07AH/N9+13LN8wAQBNCeaSOEtoLgk4FkjygvTn2zhCgA3J7uBcFEA9pSQ8t1Geg5gL1nAOSnCJ3j0/MFeR6EtASB2HgIye2DixOJVmF/YEqGEAQNtYLQbl0G72iKSEAjCCt7EULpuML+xPwHiEDAoIJgRjJOrSA0S8OuTYu2cFtBoP2xSEDIdSDnQIQggIkFoVka9t3sQyu3FgTJJnf+0n4gCACC0EwQHhEhGFIBkLaBIIAywwiCEQGpEGRnoNdxXUzbdRm8Q9/9HoLHThH8tMG+lvcPQQAS00YI7ddlkLMix4iCUIww/E3D3chjtbPtUO7HtQWCMDvTCkLLNOw02u7+D8E7f/BNEgNTBMevExq3H2E3/vN1P7E9BGFuhhQEiVpBuEcadufAceHhe+qM7vOtSMB/Fu1TdmASpPx4RNI2K1KYMgAIQlNBeBxHnBuCAAYRBG2p4czrMriooxwdyEAQwACC0IrTrsuw8RfmbSAIYGJB2GLENOx7NxL3gSCAQQWhdnoAANCBCAEAEECEAAAIIEIAAAQgCACAAKYMAIAAIoQWxE8cagjPMOz8mUhrB8BBECG04KGCgP8TgOMgQhC4+o9JtYJwUyAI4DjTCkLTNOwQBDAo3QuCmR5oSw0t07CLgmDrWLgf5z8wpZRlSWGXPkadFwgE0DCEIGjoWhBIDDYeMrD5CRRp1/btECGA40wrCO3WZViIBcGLwZ6DQhBADwwpCMbBOLWC0GxdBgMJwmudGBggCKAHphWEZmnYDTRF8EXzODIEAfTAMIIQO1hciFgQ6HVJJNqmYV+IpgzWgZd27okCBAH0wJQRwj0F4bK4rkuMGt1kFLidIGwlaQVgmykFwdByXYZUEAz7onA7QfA2OwIEgMS0gtB0XYZMEAwulI+nD1v/HYhDfq3dijZdOwApQwqCRK0gnDsNOwDHGEIQtKWGM6dhB+Ao3QtCKyAIAOQMKQi10YDEaddlAOAKpo0Qtrj68WcABgWCAAAITDtlAADkIEIAAAQQIQAAAogQAAABRAgAgAAiBABAAIIAAAhgyiBw3z8mrU9BulJ6bFlrR6z2fT3peMPzZZmp1oKVrY4ybYTQdF0GNb7TR8lM6FHnNL+J1m7F5URwpR9BuPH5io+Zg2voXhBMNKAtNbRMw247r01iko5y3DHlZCc+l0FUr7UL+HUcXt664/Pjltp3NMvSw863ShDyHBFSG2dnCEHQoLUjWqZhp9HMlOBjwUn9e+88WYcMYTCFvVo7wnd8e6ANQbDbRu3x+zuiCQ87X1unEATflnSfheNMDgShoSBw50pGvsxhaLulw8cdXWvnCZ/Zd9uCkLbvuIM87HzteydEa6FzX5EjDgiCxJCCYL54Tq0gtFyXIXXKlaSedfyk0/qObj/T2ll4J98SBN4+Z3tk2vC48+XQtCAWyZLjQxAkphWElusy1DmI0DFtx+cj5o6dfRs5j0Xu9I8VhNudrww/D/kalOvnZhhBMCIgFYLsDPQ6rotpnYa95CCpw/qOuxTug+n2SjvRWeROL7fPH+eGgtD0fIvw85CvQbl+bqaNEFqmYZc7bnyzz5GP6IZjdtbGOMJGoc5fLQh+1C454yPOt4hv6+ro8nauzRAEDgThToLgHJY5DTla1Fndtmyk19plyKOg7MBlQSDnMUXyx27Ol7ZjYsK3jc8HgpAyrSC0XJch7nChZCOehzpxKNxRPVq7hNsIwnps+ZiPOl/puFLzDUkEZdsmX5vZGVIQJGoFoeW6DLLDnZcxzxeCIDGEIGhLDS3TsEMQRgCCING9ILSiZRp2CMIIQBAkIAiC40MQ6oAgnIchBaF2elAL1mUAszJthAAAyEGEAAAIIEIAAAQgCACAAKYMAIAAIgQAQAARAgAggAhBAP9DALMCQRAYf10GbjvPvybBdUw7ZTjrugxUj7/kgiN0LwjG+bWlhlOuy+BzCJRyAjioTTzCKNWDmRhCEDTUCsI90rAnI3jmrM4Bs5Hc5kY021KYr7Xzx82EQ4CSj3DRgRhMz5CCYByBUysI7dOw5yN1MtILo7nbbnFwMQuxszGIdhQxLIZJdqCliNMHLyh2v/41phkAgtBMEPIbeUk9c/RELGJn1dqRIES2Fr+95OyJcCQbgVmZVhDOty6DvwcgOLZz/Lw9YRtMFYBnGEEIIxkrRCwI9DquiznlugzRlIGz3Z6Xywu/OQmmZdoI4d5p2CWHTQWCuNJuV4gcro1pFIJ7CGBaQWifhj11TNFZvSPGTp04KlFpl08r5PsK+f7yKATMxZCCINGfIBgBiEopJCfnDCUf4S2H7Qrikm1fnpqAeZhWELAuAwA5QwiCttSAdRkAyOleECRqnV8CadgByBlSEFpz7dOOEAQwKhAEAeRDALMy7ZQBAJCDCAEAEECEAAAIIEIAAAQgCACAAKYMAIAAIgQAQAARggD+hwBmZdoIoY807Ib1KUPx6cTAnh3/nBUkQAEKIAiC499PELwT7+Yl0NpJuG2R/ARo6F4QzPRAW2o45boMAk44omjCJ0yRBCKzBdMxhCBoqBWEM67LkJNHFmUhkWzBbAwpCMYROLWC0D4Nex7OJyN9JhC03eLgcTZlrZ1AacQX673AQA/mZlpB6CcNu/0oFYvYObV2GVsjfh51yNMSMBsQhIcLgjAlECOEHTuGGAVEpAIg7BtMyTCCYERAKkQsCPQ6ros557oMMX4bOXRwxGJiX0v7AbMxbYRwxnUZiL3owLFub/e/JR5gGqYVhPZp2FNBsE7HRcJPB2JnFJ1Za2dRRAcetw/TrtJ9CDAbQwqCRK0gtE/D7hwtlNINO3L2UAqhu9KOjq1zcJqOFI4JpgOC0EwQRnAyJwi4mQiIIQRBW2rAugwjCRe4F90LQiumX5fB/4cB0QGIGVIQaqOBWs68LoNrm7sPgRuJgDNthAAAyIEgAAACmDIAAAKIEAAAAUQIAIAAIgQAQACCAAAIYMoAAAggQhC477oMa74DV0qPLSvtsoeg8G9EoGfaCOGUadj935GTOi8QEAWgoXtBMM6vLTWcMQ271i7++3Ja9pKqgLMzhCBo6E4QvJOF0dqP1Ovo7cQiG7n9KL8+C6G1o+PyZyjy6CLHiQaiCDCtINxjXQbug8kInglE5NDW2f1orbWzUERCdfSei0SK3V8WWYAZGVIQjLNxagWh/boMuRMm9czRE7GI7wVo7SLccYwQLIV/yBEEB8zLtIJwzjTsPCKg9yWHXxOtAmAYRhDCiMcKEQsCvY7rYs6Zht07d3bcUn25nWBepowQHiMI+Wi8+atAtZ0XjszOb8/bg6kCEJhSEAz3Xpdhyylj53fbxtOABaWdOwZzcmHbpTITHQAM0wpC+3UZnHOGIozcFnLYUAohvNJOOjb/OVFsny/46XFuhhQEiVpBQBp2AHKGEARtqQFp2AHI6V4QWgFBACBnSEGojQYkpl+XAQCBaSOELe77+DMA/TBthAAAyEGEAAAIQBAAAAFMGQAAAUQIAIAAIgQAQAARQne4pxaPPFOA/z+Aa4EgdEdJEPaF4rGCcFzIQD9gyiDw2D8mQRDA45g2QuhjXQYJCAJ4HN0LwqslGtCWGlqmYXdQ6rK9fAPbds7J88+pxPtbBSHdp+yk/LgsKYtP4Cpt647j7GvaB/pnCEHQoLUjWqZhX7zEJjNJnUEYQbV2Fm2E4BwxJEMSMzO7feUZmGI7LxhZYpd8W8d++0D/QBAaCIKcAzF3GK2dY9/hcqc25Ns5Oz618AKQiYQcOWR6oGgf6J8hBcF0SI5kt0W7dRm0Dq21I/YdTnZ0t93q6LnjE7lA5ceURcyw3z7QP9MKQrt1GbQOrbUj9h1OJwj+fbGk26cCsNWG/faB/hlGEOTOuzaf7Az0Oq6LaZuGveQYvF5rR+w73LURgki8GIx9zfdP7LcP9M+0EUK7NOyywzlnjR1Ga0fsO7JOEIxfL+/FsF9iPa7drnj8SqEBXQJBuLkgkGOuN+PIybmji3bPL5eXxbGkkdY6JL/JF6EVhMVQWKuhTNz+rU322gf6Z1pBaLkug8E5hy92NJZD6sTOepsbaSVBoM+CPdufWhAsvp4V+bhkW5ouENvtA/0zpCBIaO2IlusyyMiCMAYjtx3UMIQgaEsNLdOwy4zrVHLkAc5I94LQipZp2GUGFYSNvzCD8wFBEBwfgkBRgbsPoLz3CE7AtIKwBdZlALMCQQAABCAIAADP5fJ/Q5eKn5/aZDsAAAAASUVORK5CYII=

可以看到在AndroidManifest.xml中注册了很多广播接收器,如启动后,短信接收时.....

广播接收器用于响应来自其他应用程序或者系统的广播消息

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/30d35710-6031-4504-8e28-e61d578258f8/Untitled.png

注册对应的类

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/27a94d60-a999-4a11-a1ae-e590831b7b9a/Untitled.png

同样也申请了大量的权限,基本涵盖了所有的权限

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/78c3695e-b1ae-4e94-8e21-d85042048c15/Untitled.png

发现资源有几个ARM32 Native 程序,用于实现几个功能。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9dd5bfaf-d703-4eac-9cad-e463b99bd6fd/Untitled.png

先看cmdshell 功能:

设置用户标识和组标识,主要是为了root执行命令

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/d57635ba-39e4-4b90-852b-b08179e3aace/Untitled.png