Lookout and the Google Security team uncovered the most sophisticated malware ever discovered on Android. It is called Chrysaor, a variant of the widely-known Pegasus surveillance-ware that affected iOS a couple of months ago.
This piece of mobile software was designed to install on Android devices without alerting their users. It can collect and relay all kinds of data to an external server, and it can self-destruct if it detects any anomaly.
Pegasus for Android is far more advanced than anything the Google Security team has ever found. In late-2016, Apple partnered with Lookout to expose the spyware and secure iOS from the malicious software.
How does Pegasus trick Android?
Much like the iPhone version, Pegasus for Android, or Chrysaor, steals information from infected devices.
The attacker selects someone and somehow makes them download an app or an attachment on their smartphone or tablet. What they don’t know is the surveillance-ware is downloading and installing too.
Pegasus quickly bypasses privileges and secures its survival by relocating itself to the /system partition of the operating system. There, it can live on even after users perform factory resets.
What can it do?
Lookout lists eight core functions that Chrysaor performs to spy people. Keylogging or extracting passwords figure among the most compromising, as well as message data extraction from apps like WhatsApp, Skype, Facebook, and Twitter.
Security experts also observed how Pegasus for Android could capture both screenshots and live audio. It can collect and send browser histories, emails, contacts and text messages, and a hacker can control it via SMS.
The surveillance-ware self-destructs under several different scenarios: if it receives a direct command from the server if it fails to communicate with the server for 60 days if it detects a change on the SIM card, and if an “antidote” file is installed on the device.
Nation-states use Chrysaor to spy on high-profile targets
Lookout and Google’s Security division attribute the creation and deployment of Chrysaor or Pegasus for Android to the NSO Group. The NSO Group is a rogue cybersecurity firm that is believed to have developed the first Pegasus malware for iOS.
The group is based in Israel and, as a result, a majority of the targets identified by the two tech giants are in the Middle East country. Out of almost a billion and a half Android devices are active around the world, but less than three dozen are infected with the malware.
Other prominent target countries include Georgia and Mexico, but Pegasus for Android has reached smartphones in Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan.
Google is deploying its entire security arsenal to fight back this threat, and it has already notified informed potential objectives about the problem. Lookout released a full report on the surveillance-ware, and it is available in pdf.