We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
TrojanSpy:AndroidOS/Pegasus.B
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This threat can collect your sensitive information and send it to a malicious hacker.
Pegasus spyware was discovered in August 2016 on Chrysaor Android app. It was also found to exploit iOS mobile phones. This threat downloads and launches malicious payload on Android and iOS mobile phones to perform its malicious activities.
Pegasus uses several stealth and anti-analysis techniques including code obfuscation, automatic self-destruct behavior, and background monitoring of third-party applications. This threat family has been known to perform the following operations:
- SMS theft
- Sending messages over WhatsApp, Facebook, and SMS
- Receiving and responding to external commands
- Location monitoring
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
For end-users
- Avoid password reuse between accounts and use multi-factor authentication (MFA)
- Protect yourself against malicious threats and attacks
For enterprise
For Microsoft 365 Defender customers, follow this checklist:
- Use Microsoft Defender for Endpoint on iOS, Microsoft Defender for Endpoint on Android, and Microsoft SmartScreen to provide additional protection from connections to the known infrastructure associated with these attacks.
- Turn on cloud-delivered protection in Microsoft Defender Antivirus or the equivalent for your antivirus product to cover rapidly evolving attacker tools and techniques. Cloud-based machine learning protections block a huge majority of new and unknown variants.
- Turn on tamper protection in Microsoft Defender for Endpoint, to prevent malicious changes to security settings.
- Run EDR in block mode so that Microsoft Defender for Endpoint can block malicious artifacts, even when your non-Microsoft antivirus doesn’t detect the threat or when Microsoft Defender Antivirus is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.
- Enable network protection to prevent applications or users from accessing malicious domains and other malicious content on the internet.
- Enable investigation and remediation in full automated mode to allow Microsoft Defender for Endpoint to take immediate action on alerts to resolve breaches, significantly reducing alert volume.
- Use device discovery to increase your visibility into your network by finding unmanaged devices on your network and onboarding them to Microsoft Defender for Endpoint.
- Avoid password reuse between accounts and use multi-factor authentication (MFA) internally on high-value systems to limit the value of harvested credentials.
- Use multi-factor authentication (MFA) to mitigate internal traversal after credential compromise as well as further brute-force attempts made by using credentials from infected hosts. Always enable MFA for privileged accounts and apply risk-based MFA for normal accounts.
- Require multi-factor authentication for local device access, RDP access, and remote connections through VPN and Outlook Web Access. Institute multi-factor authentication, such as Windows Hello.
- Enable Reputation Protection and SmartScreen within App and Browser Security settings.
