# [Intern] 19/09/2022 A new approach to attack users of the wireless network. ###### tags: `BMW-Lab`, `Intern` :::success **Goal:** To show a new approach to attack users of the wireless network. ::: :::success **References** [Advanced spyware for wireless network](https://en.wikipedia.org/wiki/Pegasus_(spyware)) ::: ## Background One category of exploits that is becoming increasingly prominent is the zero-click attack, so named as they ostensibly require no action on the part of victims to trigger. Given its stealth and sophistication, zero-click attacks now pose a significant threat. Conversely, zero-click mobile attacks are conducted without the need for user interaction, eliminating the human factor from the process. Such attacks are stealthy in nature and most of the time, take place without the victims’ knowledge – the latter usually have no means of knowing “how” or “when” a compromise happens. Typically, a specially crafted block of data is sent to a target device over a wireless connection, and exploits an unknown (or unpatched) vulnerability, allowing the hacker to access the device and its contents. In particular, voice calling or messaging applications are popular vectors of zero-click attacks, given that they are near-universal in mobile devices. Their size and complexity also mean such applications frequently possess exploitable vulnerabilities, especially if integrated with other applications and add-ons, making them ideal intrusion vectors for hackers.  ## How it works in details ## Installation In order to start collecting data from your target’s smartphone, a software based component (spyware Pegasus) must be remotely and covertly installed on their device. Spyware Pegasus Installation Vectors Remote Installation (range free): Over-the-Air (OTA): A push message is remotely and covertly sent to the mobile device. This message triggers the device to download and install the agent on the device. During the entire installation process no cooperation or engagement of the target is required (e.g., clicking a link, opening a message) and no indication appears on the device. The installation is totally silent and invisible and cannot be prevented by the target. The system operator can choose to send a regular text message (SMS) or an email, luring the target to open it. Single click, either planned or unintentional, on the link will result in hidden agent installation. The installation is entirely concealed and although the target clicked the link they will not be aware that software is being installed on their device. Nothing else is needed in order to accomplish a successful installation of the Pegasus agent on the device.  ## Initial Data Extraction Once the spyware Pegasus is successfully injected and installed on the device, the following data that resides and exists on the device can be extracted and sent to the command and control center: ƒ SMS records ƒ Contacts details ƒ Call history (call log) ƒ Calendar records ƒ Emails ƒ Instant Messaging ƒ Browsing history These set of features are called active, as they carry their collection upon explicit request of the operator. Active collection allows the operator to perform real-time actions on the target device, retrieving unique information from the device and from the surrounding area of the target. Active collection differentiates Pegasus from any other intelligence collection solution, as the operator controls the information that is collected. Instead of just waiting for information to arrive, hoping this is the information you were looking for, the operator actively retrieves important information from the device, getting the exact information he was looking for.  ## Data Transmission By default, the collected data is sent back to the command and control center in real-time. The data is sent via data channels, where Wi-Fi is the preferred connection to use when it is available. In other cases data is transmitted via cellular data channels (GPRS, 3G and LTE). Extra thought was put into compression methods and focusing on textual content transmission whenever possible. The data footprints are very small and usually take only few hundred bytes. This is to make sure that the collected data is easily transmitted, ensuring minimal impact on the device and on the target cellular data plan. If data channels are not available, the agent will collect the information from the device and store it in a dedicated buffer, as explained in Data Collection section. When no data channels are available, and no indication for communication is coming back from the device, the user can request the device will communicate and/or send some crucial data using text messages (SMS). The communication between the agent and the central servers is indirect (through anonymizing network), so trace back to the origin is non-feasible.  ## Conclusion As far as we can see, this spyware is acting very effective nowadays in the 3G networks. It pushes us to add protection for 5G networks to avoid similar problems in the future.As far as we can see, this spyware is acting very effective nowadays in the 3G networks. It pushes us to add protection for 5G networks to avoid similar problems in the future.