Researchers say a variant of the notorious surveillance software called Pegasus has been found targeting Android users, allowing third parties to take screenshots, capture audio, read email and exfiltrate data from targeted phones. The malware, called Chrysaor, was discovered through a joint effort between Google and the Lookout Security Intelligence team.
Researchers say the spyware was likely created by NSO Group Technologies, a cyber arms-dealing firm based in Israel that is believed to be behind Pegasus.
“Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups,” wrote Lookout Security in a technical analysis (PDF). “These groups produce advanced persistent threats for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world.”
According to Google’s own analysis, Chrysaor has been installed on fewer than three-dozen devices. “Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play,” Google researchers wrote in a technical analysis of the malware published Monday.
Unlike Pegasus that utilized three Apple iOS zero days known as Trident, Google said Chrysaor doesn’t exploit a vulnerability. Instead, Google believes attackers coax specifically targeted individuals to download the Chrysaor malware onto their device.
“Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS,” wrote Google.
Lookout said Chrysaor has similar capabilities to its iOS counterpart including the ability to exfiltrate data from apps such as WhatsApp, Skype, Viber and others.
Google said a sample of the Chrysaor it examined was tailored to Android devices running the JellyBean (4.3) software or earlier.
Upon installation, the app uses Framaroot rooting techniques to find security holes that allow the attackers to escalate privileges and break Android’s application sandbox, Google said. “If the targeted device is not vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges,” according to Google.
Chrysaor is also very careful when it comes to being detected and is programmed to uninstall itself if there’s any chance it has been found, according to Lookout. “Pegasus for Android will remove itself from the phone if the SIM MCC ID is invalid, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself,” Lookout wrote.
Lookout said it began hunting for the Android version of Pegasus after it became clear that the company believed behind its sale, NSO Group, was also allegedly selling sophisticated espionage tools for infiltrating iOS, Blackberry and Android devices.
“Immediately upon discovery of the iOS version of Pegasus, Lookout’s team of intelligence analysts and data scientists began hunting down Pegasus for Android via a combination of automated and manual analysis of (telemetry data),” Lookout wrote.
Lookout said it linked Chrysaor too Pegasus after a massive analysis of threat intelligence revealed a number of similar malware attributes and indicators of compromise suggesting a connection. Lookout took its findings to Google’s Android Security Team and began a joint investigation.
“When Google and Lookout announced the discovery, Google named this family of spyware Chrysaor,” Lookout said. According to Greek mythology, Chrysaor is the mythical brother of Pegasus.
Google notes, to protect against Chrysaor malware, and any other potentially harmful apps, users should only install apps from a reputable sources, keep device up-to-date, ensure Verify Apps is enabled and use the secure lock feature on home screens.