Security researchers are warning Android users of a new, potentially government-derived malware.
Dubbed Chrysaor by Google’s security team, once installed, the malware can be used to spy on a device’s calls, texts, emails, keystrokes, microphone, camera, GPS and other sensitive and important user data. Cybersecurity firm Lookout calls it “one of the most sophisticated and targeted mobile attacks we’ve seen in the wild.”
That sophistication may be due, in part, to the fact that it is created for government surveillance purposes. Lookout believes it was developed by the NSO Group, an Israeli cyberwarfare group that develops and sells systems and infrastructure designed for targeted attacks. Chrysaor is also believed to be closely linked to a zero-day iOS exploit called Pegasus — which Apple quickly patched in August 2016 when it was learned that it had been used to spy on a human rights activist in the United Arab Emirates.
But while Apple quickly fixed the root exploit issue on iOS, the Android version has more than one means of attack. Pegasus relied on root exploits that allowed it to install malware — Chrysaor, on the other hand, doesn’t need to root a device. If a root fails, it can use a failsafe, allowing it to steal your data. Essentially, “this means that Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails,” Lookout VP Mike Murray said.
In reference to its sophistication, the malware is designed to uninstall itself automatically if there’s a chance that it will be spotted. “Pegasus for Android will remove itself from the phone if the SIM MCC ID is invalid, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself,” according to Lookout’s blog post.
Thankfully, Chrysaor isn’t widespread. Google researchers said that it has been detected on roughly a “few dozen” Android devices — most of which are located in conflict areas or hotspots like Israel, Georgia, Mexico, Turkey, the United Arab Emirates, or the Ukraine. Although minimally used, Chrysaor ultimately represents the cutting-edge in current malware technology.
While Google announced “no Chrysaor apps were on Google Play,” it advises Android users to refrain from installing apps from third-party websites they don’t know or trust.