Mobile security firm Lookout and Google have revealed the existence of Chrysaor (aka Pegasus for Android), a powerful espionage app that is believed by both companies to be the work of Israel-based firm NSO Group, which specializes in lawful surveillance software.
From Pegasus to Chrysaor
While Citizen Lab and Lookout analyzed and then publicly released details about the iOS Pegasus malware in August 2016, the latter simultaneously started a search for its Android equivalent.
The company’s researchers mined the comprehensive dataset from its Lookout Security Cloud and located signals of anomalous Android applications, and they determined that an Android version of Pegasus was running on phones in a number of countries.
After they alerted Google of the threat, the company pinpointed fewer than 3 dozen affected devices through its Verify Apps feature included in the Android OS.
“We gathered information from affected devices, and concurrently, attempted to acquire Chrysaor apps to better understand its impact on users. We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users,” Google Security researchers explained.
Most of these apps were found on devices in Israel, then Georgia, Mexico, and Turkey, and a few instances in Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine and Uzbekistan.
But, in general, other Android users don’t have to worry about the possibility of having been infected – the apps were never available in Google Play. The targets were likely tricked into downloading and installing the malware through links in extremely personalized messages.
Just like Pegasus, the Chrysaor spyware can exfiltrate targeted data from common email, messaging and social media apps and browsers, allows audio and video surveillance (through the device’s microphone and camera), logs keystrokes, can take screenshots, can silently answer telephone calls, and allows the attackers to remotely control the target device via SMS.
Unlike Pegasus, which used unknown zero-day vulnerabilities to jailbreak the targeted iOS devices in order to install itself, Chrysaor uses a well-known Android-rooting technique called Framaroot and, if that fails, it asks the user for permissions that will allow it to access and exfiltrate data.
Once installed (on the /system partition to persist across factory resets), the spyware also disables system updates (e.g. by removing the system update app and disabling auto-updates), and deletes WAP push messages and changes WAP message settings (likely to make forensic analysis more difficult).
Finally, it is able to remove itself from the compromised device, if:
- It receives a command from the server to remove itself
- It has not been able to check in with the servers after 60 days
- An “antidote” file exists on the device’s SD card
For more technical information about the malware, and how it differs from Pegasus, check out Lookout’s extensive report.