Some time back, Pegasus made its way on iOS. Pegasus was a spyware that was discovered in iOS in August 2015. Just the other day, a Pegasus-like spyware dubbed “Chrysaor” was discovered deeply rooted within Android.
Chrysaor is a spyware that is believed to have been created by NSO Group Technologies, a company that specializes in the creation and sale of software and infrastructure for targeted attacks.
Google says that late last year, they discovered that “a few dozen Android devices” may have installed an application related to Pegasus. Google goes ahead to say that the application (Chrysaor) was never available in the Google Play Store.
Once Chrysaor was installed in one’s phone, the malware would surveil the victim’s activities on the device leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS.
The app uses framaroot exploits, meaning that there is a high chance it only affected rooted devices. The app would attempt to use superuser binary to elevate its privileges. After elevating its privileges, the app would protect itself by:
- Installing itself as a system app (thus becomes immune to factory resets).
- Removing Samsung’s system update app and disabling auto updates (on Samsung devices).
- Deleting WAP push messages and changing WAP message settings, possibly for anti-forensic purpose.
- Starting content observers and the main task loop to receive remote commands and exfiltrate data.
According to Google, the app uses six techniques to collect user data:
- Repeated commands – use alarms to periodically repeat actions on the device to expose data, including gathering location data.
- Data collectors – dump all existing content on the device into a queue. Data collectors are used in conjunction with repeated commands to collect user data including, SMS settings, SMS messages, Call logs, Browser History, Calendar, Contacts, Emails, and messages from selected messaging apps, including WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype by making /data/data directories of the apps world readable.
- Content observers – use Android’s ContentObserver framework to gather changes in SMS, Calendar, Contacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype.
- Screenshots – captures an image of the current screen via the raw frame buffer.
- Keylogging – record input events from the user.
- RoomTap – silently answers a telephone call and stays connected in the background, allowing the caller to hear conversations within the range of the phone’s microphone. If the user unlocks their device, they will see a black screen while the app drops the call, resets call settings and prepares for the user to interact with the device normally.
Google also reveals that the app can uninstall itself, through command from the server, a self destruct feature if the app is not able to connect to the server in 60 days and via an antidote file.
Google said that they have contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all Android users.
As scary as this is, the chances of having been affected by this malware are very low. Google also released a chart, showing the scope of affected devices per country:
Before you go running to the comments section to say how much Android sucks, note that the malware only affects devices running on Android 4.3 Jelly Bean and below, and as earlier mentioned, probably only on rooted users.