Advanced iPhone malware Pegasus turns out to have Android version
Security company Lookout, in collaboration with Google, has found an Android variant of the Pegasus malware, which was discovered on iPhones last year. The variant, called Chrysaor, was used in targeted attacks on a small number of Android devices.
Google and Lookout have both dedicated a blog post to the malware; the security company also published a technical analysis. Like the Pegasus variant, discovered in August, Chrysaor appears to come from Israel’s NSO Group. This instance was discovered when Lookout shared a number of suspicious packages with Google, which was able to determine the extent of the malware distribution using the Verify Apps feature. The malware would not have been in the Play Store and was found on about 35 Android devices.
Those devices were mainly present in Israel, Georgia, Mexico and Turkey. Kenya is also on the list. Pegasus targeted Mexican and Kenyan targets, including a journalist. Google has notified the owners of the affected devices. According to the search giant, the malware was spread by tricking users into installing software on their devices, possibly via phishing. Unlike Pegasus, Chrysaor does not use zero days, but uses the well-known Framaroot method to gain root access to a device. If the attempt to get root failed, the malware still asked for the necessary permissions. According to Google, a representative sample focused on Android 4.3.
Once on a system, the malware is able to perform keylogging, capture screenshots and audio, steal chat messages from WhatsApp, among others, and send browser history, contacts and emails to the attacker. Control of the malware is possible via SMS, according to Lookout. In addition, Chrysaor is able to self-destruct, for example if it has not been able to connect to a server or if there is a so-called antidote file on the system. The update function was also disabled if the malware was on a Samsung device.
Based on the properties of the malware, in addition to the encryption and obfuscation used, Lookout concludes that Chrysaor is built to evade detection and to be used in a targeted manner.