A new version of one of the most sophisticated forms of mobile spyware has been discovered, and this time it’s being used to spy on Android users.
Made public last summer, the Pegasus mobile spyware was used by a nation state to monitor iPhones belonging to activists in the Middle East. Dubbed Trident, three separate iOS vulnerabilities allowed an attacker to remotely jailbreak a target’s iPhone and install spyware capable of tracking every action on the device.
The discovery of the malware, built by the notorious NSO Group “cyber arms dealer”, forced Apple to release a security fix for iPhones and iPads in order to protect users.
But that wasn’t enough to put off cyber spies and state-backed actors; and a joint investigation by cybersecurity researchers at Lookout and Google has uncovered an Android version of Pegasus.
Google has dubbed it Chrysaor, naming this Android threat after the brother of Pegasus – and it’s been targeting individuals, predominantly in Israel but also in Georgia, Mexico, Turkey, the UAE and more. About three dozen specifically selected individuals have been targeted.
The Android version of this espionage tool performs similar spying functions to its iOS counterpart, allowing those using it to capture keylogs, images and live audio, monitor and extract data from apps including texts, emails, WhatsApp, Skype, Facebook and Twitter, to exfiltrate browser history and gain access to contacts.
Like its iOS counterpart, Chrysaor will also self-destruct if feels it is at risk and Pegasus for Android will remove itself from the phone of the compromised target. Mike Murray, CP of security intelligence at Lookout says the malware is “built to be stealthy, targeted, and is very sophisticated”.
However, there are differences between the iOS and Android versions of Pegasus, with Lookout noting that there’s no use of anything like Trident zero-day vulnerabilities which compromised Apple users.
Instead, Chrysaor harnesses a rooting technique called Framaroot, allowing the attackers to remotely jailbreak the device and gain permissions enabling them to access and exfiltrate data. Users became infected with the malware after being coaxed into installing malicious software onto the device through advanced phishing techniques.
This ultimately means that Pegasus for Android is easier to deploy on devices than its iOS counterpart was.
Working alongside Lookout, Google has notified potential targets about the Chrysaor threat, disabled the malware and provided them with information about removing it.
Lookout has provided full, technical research into the malware in a report titled Pegasus for Android: Technical Analysis and Findings of Chrysaor.
While this threat has been uncovered and potential victims issued with advice on how to remove Chrysaor, Lookout warns that the high proliferation of mobile devices means spies, criminals and states continue to target handsets to covertly gain information.
“Sophisticated threat actors are targeting mobile for the same reasons these devices have become ubiquitous in our personal and professional lives. The communication and data-access features, the trust users put in their devices, and the prevalence of these devices mean they also have become an effective espionage tool that well-funded attackers will continue to target”, the company warns.