You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Telegram<br />
WhatsApp<br />
The <strong>Pegasus</strong> authors have instrumented the interception <strong>of</strong> WhatsApp messages and calls within the samples that we have obtained.<br />
In addition to logging the appropriate information for messages and calls, the s<strong>of</strong>tware also loads a library (libwacalls.<br />
dylib) that is designed to hook key WhatsApp functions and intercept various communication types.<br />
This library issues system-wide notifications when calls are connected, interrupted, or ended, and when another call event<br />
occurs. Any application can receive these events provided they know the ID <strong>of</strong> the notification. Throughout <strong>Pegasus</strong> these<br />
notifications are unique and conspicuous, and they are made up <strong>of</strong> a sequence that’s 56 characters long and appears to be the<br />
output <strong>of</strong> a sha224 hash function. Another <strong>Pegasus</strong> module responsible for recording audio included notification observers<br />
that explicitly listen for these IDs. It seems that when these notifications are sent from libwacalls, and consequently handled by<br />
libaudio.dylib, <strong>Pegasus</strong> records the current WhatsApp call a victim is making.<br />
Libaudio saves audio recordings from WhatsApp calls in the following directories:<br />
• micFileName - /private/var/tmp/cr/x..caf<br />
• spkFileName - /private/var/tmp/cr/t..caf<br />
• sentryFileName - /private/var/tmp/cr/z..caf<br />
TECHNICAL ANALYSIS OF PEGASUS SPYWARE | 26