The Stack Archive

Android variant of Pegasus spyware discovered

Tue 4 Apr 2017

Pegasus Android

A variant of the Pegasus software that targeted iOS devices last fall has been discovered by security researchers. This variant, called Chrysaor after the mythical brother of Pegasus, targets Android devices.

Discovered by the researchers at Lookout Security Intelligence, in collaboration with Google, Chrysaor shares many features with the Pegasus spyware.

Like Pegasus, the Android variant is advanced spyware that takes advantage of a target’s WiFi communications, messaging and social media, microphone and camera functions, and contact lists. It can exfiltrate data from apps including WhatsApp, Facebook, Twitter and Gmail, as well as capturing audio through the device microphone and imagery from the camera.

Chrysaor is an app that consists of two layers. The first, a Java script, is responsible for installation and control of the spyware. The native code layer then deploys a variety of different tasks that include exploiting the device and installed apps and gaining root access to the system.

Chrysaor is believed to have originated with NSO Group Technologies, the firm that Pegasus was traced back to. NSO is a firm that “sells weaponized software that targets mobile phones to governments”, possibly for purposes of sophisticated espionage.

According to the Google Android Developers blog, Chrysaor never penetrated the mainstream. In fact, of over 1.4 billion devices protected by Verify Apps, the spyware was discovered on only three dozen devices worldwide.

One of the most interesting aspects of the Pegasus spyware that is carried over to the Chrysaor variant is the suicide functionality. In certain circumstances the spyware is triggered to remove itself from the device. If an MCC subscriber ID is not found or invalid the suicide function is triggered – a situation that would be present in a test or emulator environment, in an apparent effort to keep the spyware from being studied.

The spyware will also remove itself from the device if 60 days elapse without a check-in from the device, or if a remote command is issued.

While the Chrysaor threat does not appear to have penetrated the mainstream, the fact that the spyware is able to integrate several different spying techniques and remain hidden poses a persistent threat to users at large. Lookout researchers believe that Pegasus, and Chrysaor, ‘will likely always be a targeted threat, highly damaging to its victims’ privacy, as well as to any personal and business data accessed on (or discussed near) the device.’


cybercrime Google malware news privacy research security
Send us a correction about this article Send us a news tip