Android malware

Google and Lookout researchers published a report today revealing the activities of a new Android malware family, which they believe to be the Android counterpart of the Pegasus iOS spyware.

After surfacing in 2016, the Pegasus spyware made headlines around the world after it was discovered that this wasn't your ordinary malware but a cyber-surveillance toolkit sold by an Israeli company called NSO Group.

Similarly to Italian surveillance vendor HackingTeam, the NSO Group developed Pegasus and sold it to governments and law enforcement agencies across the world, even in countries with dictatorial regimes, where it was used to track down dissidents and journalists.

At the time, Pegasus was the most advanced iOS malware ever discovered, using several iOS zero-days to infect and collect data from a victim's iPhone.

Initial Pegasus investigation moved to Android ecosystem

That investigation, spearheaded by security researchers from Lookout and Citizen Lab, continued after the publication of their Pegasus report.

During the fall, as Apple was patching the zero-days used by Pegasus, Lookout researchers reached out to Google and sent over a list of suspicious apps, they thought to be connected with Pegasus and the NSO Group.

An investigation from Google revealed a new Android malware family named Chrysaor, very similar to Pegasus. Chrysaor features included:

  • Keylogging features
  • Ability to silently answer phone calls and listen in on conversations (Users see a black screen and if they unlock the phone, the phone call is dropped immediately)
  • Ability to take screenshots of the user's screen
  • Ability to spy on users via the front and rear cameras
  • Usage of the ContentObserver framework to gather any updates to apps such as SMS, Calendar, Contacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype
  • Ability to collect data such as SMS settings, SMS messages, call logs, browser history, calendars, contacts, and emails
  • Ability to steal messages from apps such as WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype
  • Usage of alarm functionality to repeat malicious actions at certain intervals
  • Ability to install itself in the /system folder to survive factory resets
  • Ability to sabotage the phone's self-update features
  • Ability to disable WAP push messages to hinder forensics operations
  • Ability to delete itself when instructed or when the C&C server goes dormant

Most of these features could be turned on by both an HTTP request from one of the attacker's C&C servers, but also via an SMS message.

Chrysaor was by far the most sophisticated threat researchers encountered. In fact, researchers said Chrysaor was far more complex and full of features when compared to Pegasus.

Chrysaor used in targeted attacks

Just like Pegasus, Chrysaor was used in a small number of attacks, a clear sign this is an advanced tool deployed only by a few groups in targeted attacks, and not something me and you will ever come across.

While the victims are unknown, Google said it identified at least three dozen users infected with Chrysaor. All of them got infected because they installed an app via a third-party app store. Using Android's Verify Apps feature, Google intervened and disabled the apps on the victims' phones.

From the samples they found, Google and Lookout researchers say these apps appear to have been compiled in 2014, meaning there's likely more victims than the current headcount, most of which they'll never be able to identify. Most of these victims most likely switched or upgraded phones, and their trail was lost.

Based on current data, the vast majority of Chrysaor victims were located in Israel, Georgia, Mexico, and Turkey.

Security researchers always knew there was an Android version of Pegasus, based on NSO Group brochures, but until now, they were never able to discover a sample and study its behavior.

The NSO Group, which is a licensed cyber-arms dealer, has remained quiet to all accusations of selling surveillance tools to oppressive regimes. The full technical report on Chrysaor is available here.