Google and a security research firm have shared details of the Android version of Pegasus, an iOS spyware that was first discovered in August 2016. The Android sibling of Pegasus is known as Chrysaor and was spotted in late 2016. The spyware is believed to have been developed by NSO Group Technologies, an Israel-based firm that specializes in the development and sale of software exploits to governments.
NSO is a surveillance company that is known as one of the most advanced producers of the mobile spyware in the world. The company first rose to media popularity after developing Pegasus, which used three previously unknown and unpatched iOS zero-day vulnerabilities. Pegasus was used to target a Mexican journalist and Ahmed Mansoor, a UAE activist who helped with the discovery of Pegasus.
Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements.
NSO Group was also accused of helping Turkey spy on its dissidents.
Following Pegasus, everyone suspected that NSO could have developed an Android version of Pegasus, as well, which led to the discovery of Chrysaor, believed to be a descendant of Pegasus. Chrysaor Android spyware made to its targets through apps installed from the "Unknown Sources," as it was distributed using the apps that weren't available in the Google Play Store. Lookout security firm in its report published today said that Chrysaor Android spyware appears to be a spying tool used by "nation states and nation-state-like groups."
Chrysaor Android spyware: self-destructing, factory-reset-survivor weapon
Chrysaor Android spyware is an espionage platform, which Google and security researchers started to look for after discovery of Pegasus iOS spyware. Google said Verify Apps, an Android security feature, helped it discover that it was installed on fewer than three-dozen devices. While a tiny number of devices among over 1.4 billion Android devices, the spyware serves the purpose for its users (governments) as it helps them spy on their victims.
Unlike Pegasus, Android spyware doesn't rely on any zero-day bugs and instead uses known Framaroot exploits to override Android's safety mechanism and escalate privileges. If the target device is not vulnerable to these exploits, then the malware attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges, Google said.
"Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups," Lookout wrote in a detailed analysis. "These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world."
Chrysaor, like Pegasus, offers a range of spying features, including:
- Keylogging: records whatever you type.
- Data collection and exfiltration: collects user data including, SMS messages, call logs, browser history, calendar, contacts, emails, and messages from selected messaging apps, including WhatsApp, Twitter, Facebook, Kakoa, Viber, Gmail, and Skype.
- Screenshots: captures an image of your current screen.
- Live audio and video capture.
- Remote control of the malware via SMS.
Analysis showed Israel hosting the largest number of targeted phones, followed by Mexico, Turkey, Georgia, Kyrgyzstan, Ukraine, Uzbekistan, and, of course, the UAE. Chrysaor Android spyware is also capable of self-destructing itself when it's at risk of being discovered or compromised. "It's clear that this malware was built to be stealthy, targeted, and is very sophisticated," Lookout researchers added.
When Pegasus was first discovered, Citizen Lab’s Bill Marczak had said that these tools are often used to target dissidents and activists who are currently on the frontlines of what is to become a norm for all of us tomorrow. "These guys are sort of the canaries in the coal mine."