Researchers at Google and mobile security firm Lookout have now discovered that infamous iOS spyware Pegasus, which was described as sophisticated and discovered last year, has now turned up on Android in the form of ‘Chrysaor’. Notably, the advanced form of malware can potentially give remote control of the device to the exploiter and even deletes itself, remove all traces.
Before you start getting uneasy, Google has clarified that the infected apps that carried the malware were never made available through Google Play store. Further, Google said that it tried to find the scope of Chrysaor by using Verify Apps, only to find that it had low volumes of installs outside Google Play. As per search giant, Israel-based NSO Group Technologies, which was behind the Pegasus malware is believed to be behind Chrysaor as well.
“Late last year, after receiving a list of suspicious package names from Lookout, we discovered that a few dozen Android devices may have installed an application related to Pegasus, which we named Chrysaor,” Google said in a post. “Among the over 1.4 billion devices protected by Verify Apps, we observed fewer than 3 dozen installs of Chrysaor on victim devices,” it added.
As per the search giant, the Chrysaor malware has been targeted at devices running Android 4.3 Jelly Bean or earlier versions.
Some of the spying functionalities in the Chrysaor malware include keylogging, screenshot capture, Live audio capture, remote control of the malware via SMS, browser history exfiltration, email exfiltration from Android’s native email client, contacts and text message, as per Lookout. It also enables messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao.
The Chrysaor malware self destructs itself when it finds its position in danger and meets certain conditions, Lookout points out. “It’s clear that this malware was built to be stealthy, targeted, and is very sophisticated,” Lookout said in its post regarding the malware.
The most notable difference between Chrysaor on Android and Pegasus on iOS is that the former doesn’t use zero-day vulnerabilities to root the device. Chrysaor instead uses a well-known rooting technique called Framaroot.
“In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails,” Lookout said.
As the Chrysaor malware has not been distributed at large scale, majority of Android devices are out of danger but we would like to warn our readers who are using Android not to install apps from unverified sources in order to keep their devices secure.