Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0316: Pegasus for Android

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

MobileS0316MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Pegasus for Android is a mobile malware entry in ATT&CK for Android, reported by MITRE’s sources as linked to NSO Group and tracked separately from Pegasus for iOS. Its value for defenders is not the name alone; the associated behaviors show why high-risk mobile devices need executive attention: privilege escalation, persistence through Android broadcast receivers, discovery of installed software and network configuration, access to stored application data, collection of calendar/call/contact data, microphone/camera capture, and out-of-band communications can turn a phone into a source of sensitive business, identity, and operational intelligence.

Executive priority

Treat this as a mobile security readiness and executive-risk use case, especially for users with privileged access, sensitive communications, legal/regulatory exposure, or operational decision authority. Leaders should ask whether the organization can inventory Android devices, confirm patch and root status, govern risky permissions, preserve mobile evidence during incidents, and distinguish personal-device privacy constraints from enterprise monitoring needs. Because ATT&CK provides no official detection text for this object, coverage should be proven through control validation rather than assumed from endpoint or network tooling.

Technical view

Validate Android-focused coverage against the related techniques: exploitation for privilege escalation (T1404), stored application data access (T1409), software and network discovery (T1418, T1422, T1422.001, T1422.002), audio/video capture (T1429, T1512), persistence via broadcast receivers (T1624.001), calendar/call/contact collection (T1636.001, T1636.002, T1636.003), out-of-band data channels (T1644), and compromised client software binaries (T1645). SOC and IR teams should map which of these can be observed through MDM/EMM, Android security events, application inventory, permission state, network telemetry, and forensic acquisition. Prioritize validation on managed Android devices and high-risk user populations.

Likely telemetry

  • Android device inventory, OS version, patch level, and enrollment status
  • MDM/EMM records for installed applications, application provenance, and permission grants
  • Signals of rooting, privilege escalation, or unexpected changes to protected/system areas
  • Android broadcast receiver registrations or applications triggered by boot, SMS, or other system events where available
  • Application access to contacts, calendar, call log, microphone, camera, and external/internal storage permissions

Detection direction

  • Do not assume coverage: MITRE provides no official detection guidance for this malware object.
  • Build detections around behavior clusters rather than the malware name: unusual permission combinations, sensitive data access, persistence triggers, device discovery, network discovery, and out-of-band communication patterns.
  • Tune carefully for false positives because many legitimate Android applications request contacts, calendar, microphone, camera, or network permissions; risk scoring should consider app reputation, enterprise approval, user role, install source, and privilege/root status.
  • Validate whether BYOD, privacy controls, and mobile OS limitations prevent collection of the telemetry needed to investigate these techniques.
  • Use the relationship set to guide test cases for mobile SOC runbooks: privilege escalation evidence, application data access, discovery activity, capture permissions, persistence mechanisms, and modified binaries.

Mitigation priorities

  • Prioritize managed Android coverage for high-risk users through device inventory, enrollment, patch compliance, and policy enforcement.
  • Reduce exposure from privilege escalation by maintaining current Android security updates and removing unsupported devices from sensitive access paths.
  • Enforce application control and install-source governance for enterprise-managed devices; review applications requesting sensitive permissions such as microphone, camera, contacts, calendar, call log, SMS, storage, and notification access.
  • Use conditional access or equivalent policy decisions to limit business access from rooted, unmanaged, noncompliant, or unpatched devices.
  • Prepare mobile incident response procedures in advance, including evidence preservation, user notification/legal handling, and escalation paths for executive or regulated-data cases.
Analyst notes and limits

The supplied ATT&CK object identifies Pegasus for Android as Android malware, cites Google and Lookout reporting, and states it has reportedly been linked to NSO Group. The practical defensive value comes from the ATT&CK relationships, which describe a broad mobile capability set across privilege escalation, discovery, persistence, collection, capture, and out-of-band communications. Local device management architecture, BYOD policy, privacy requirements, and mobile forensic capability will determine how actionable these behaviors are in a real environment.

No official MITRE detection text, tactics, aliases, labels, active exploitation statement, or guaranteed indicators were supplied. This take does not assert current activity, customer exposure, attribution beyond the reported linkage in the official description, or detection coverage. Telemetry and mitigations are defensive validation directions inferred from the supplied Android platform and related ATT&CK techniques.

Official MITRE ATT&CK definition

Pegasus for Android

Pegasus for Android is the Android version of malware that has reportedly been linked to the NSO Group. [1] [2] The iOS version is tracked separately under Pegasus for iOS.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

14 rows
Domain ID Name Relationship / procedure
Mobile T1429 Audio Capture

Pegasus for Android has the ability to record device audio.CitationLookout-PegasusAndroid
Mobile T1624.001 Broadcast Receivers Sub-technique

Pegasus for Android listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.CitationLookout-PegasusAndroid
Mobile T1404 Exploitation for Privilege Escalation

Pegasus for Android attempts to exploit well-known Android OS vulnerabilities to escalate privileges.CitationLookout-PegasusAndroid
Mobile T1409 Stored Application Data

Pegasus for Android accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.CitationLookout-PegasusAndroid
Mobile T1636.002 Call Log Sub-technique

Pegasus for Android accesses call logs.CitationLookout-PegasusAndroid
Mobile T1636.001 Calendar Entries Sub-technique

Pegasus for Android accesses calendar entries.CitationLookout-PegasusAndroid
Mobile T1512 Video Capture

Pegasus for Android has the ability to take pictures using the device camera.CitationLookout-PegasusAndroid
Mobile T1422.002 Wi-Fi Discovery Sub-technique

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.CitationLookout-PegasusAndroid
Mobile T1422.001 Internet Connection Discovery Sub-technique

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.CitationLookout-PegasusAndroid
Mobile T1645 Compromise Client Software Binary

Pegasus for Android attempts to modify the device's system partition.CitationLookout-PegasusAndroid
Mobile T1422 System Network Configuration Discovery

Pegasus for Android checks if the device is on Wi-Fi, a cellular network, and is roaming.CitationLookout-PegasusAndroid
Mobile T1636.003 Contact List Sub-technique

Pegasus for Android accesses contact list information.CitationLookout-PegasusAndroid
Mobile T1418 Software Discovery

Pegasus for Android accesses the list of installed applications.CitationLookout-PegasusAndroid
Mobile T1644 Out of Band Data

Pegasus for Android uses SMS for command and control.CitationLookout-PegasusAndroid
Relationship explorer

All related ATT&CK context

uses · Technique T1429: Audio Capture Mobile uses · Technique T1624.001: Broadcast Receivers Mobile uses · Technique T1404: Exploitation for Privilege Escalation Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1636.001: Calendar Entries Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1422.002: Wi-Fi Discovery Mobile uses · Technique T1422.001: Internet Connection Discovery Mobile uses · Technique T1645: Compromise Client Software Binary Mobile uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1644: Out of Band Data Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
24f645e5a3a57e66...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 24f645e5a3a5…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Lookout-PegasusAndroid

    Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.

    Open source URL
  2. [2]
    Google-Chrysaor

    Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.

    Open source URL
  3. [3]
    Chrysaor

    (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)

  4. [4]
    Pegasus for Android

    (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)

  5. [5]
    mitre-attack S0316
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use