Android Chrysaor spyware went undetected for years

Pierluigi Paganini April 04, 2017

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.

Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.

The Chrysaor Android spyware implements several features including:

  • Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
  • Controlling device remotely from SMS-based commands.
  • Recording Live audio and video.
  • Keylogging and Screenshot capture.
  • Disabling of system updates to prevent vulnerability patching.
  • Spying on contacts, text messages, emails and browser history.
  • Self-destruct to evade detection
chrysaor spyware

The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.

“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.

“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”

The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.

“Pegasus for Android will remove itself from the phone if:

  • The SIM MCC ID is invalid
  • An “antidote” file exists
  • It has not been able to check in with the servers after 60 days
  • It receives a command from the server to remove itself
    rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.

Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.

The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.

Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrysaor spyware , surveillance)

you might also like

leave a comment