Google and Lookout researchers published a report today revealing the activities of a new Android malware family, which they believe to be the Android counterpart of the Pegasus iOS spyware.
After surfacing in 2016, the Pegasus spyware made headlines around the world after it was discovered that this wasn't your ordinary malware but a cyber-surveillance toolkit sold by an Israeli company called NSO Group.
Similarly to Italian surveillance vendor HackingTeam, the NSO Group developed Pegasus and sold it to governments and law enforcement agencies across the world, even in countries with dictatorial regimes, where it was used to track down dissidents and journalists.
At the time, Pegasus was the most advanced iOS malware ever discovered, using several iOS zero-days to infect and collect data from a victim's iPhone.
That investigation, spearheaded by security researchers from Lookout and Citizen Lab, continued after the publication of their Pegasus report.
During the fall, as Apple was patching the zero-days used by Pegasus, Lookout researchers reached out to Google and sent over a list of suspicious apps, they thought to be connected with Pegasus and the NSO Group.
An investigation from Google revealed a new Android malware family named Chrysaor, very similar to Pegasus. Chrysaor features included:
Most of these features could be turned on by both an HTTP request from one of the attacker's C&C servers, but also via an SMS message.
Chrysaor was by far the most sophisticated threat researchers encountered. In fact, researchers said Chrysaor was far more complex and full of features when compared to Pegasus.
Just like Pegasus, Chrysaor was used in a small number of attacks, a clear sign this is an advanced tool deployed only by a few groups in targeted attacks, and not something me and you will ever come across.
While the victims are unknown, Google said it identified at least three dozen users infected with Chrysaor. All of them got infected because they installed an app via a third-party app store. Using Android's Verify Apps feature, Google intervened and disabled the apps on the victims' phones.
From the samples they found, Google and Lookout researchers say these apps appear to have been compiled in 2014, meaning there's likely more victims than the current headcount, most of which they'll never be able to identify. Most of these victims most likely switched or upgraded phones, and their trail was lost.
Based on current data, the vast majority of Chrysaor victims were located in Israel, Georgia, Mexico, and Turkey.
Security researchers always knew there was an Android version of Pegasus, based on NSO Group brochures, but until now, they were never able to discover a sample and study its behavior.
The NSO Group, which is a licensed cyber-arms dealer, has remained quiet to all accusations of selling surveillance tools to oppressive regimes. The full technical report on Chrysaor is available here.