Malware

Android Chrysaor spyware went undetected for years

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.

Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.

The Chrysaor Android spyware implements several features including:

  • Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
  • Controlling device remotely from SMS-based commands.
  • Recording Live audio and video.
  • Keylogging and Screenshot capture.
  • Disabling of system updates to prevent vulnerability patching.
  • Spying on contacts, text messages, emails and browser history.
  • Self-destruct to evade detection

The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.

“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.

“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”

The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.

“Pegasus for Android will remove itself from the phone if:

  • The SIM MCC ID is invalid
  • An “antidote” file exists
  • It has not been able to check in with the servers after 60 days
  • It receives a command from the server to remove itself
    rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.

Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.

The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.

Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrysaor spyware , surveillance)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco warns of password-spraying attacks targeting Secure Firewall devices

Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…

2 hours ago

American fast-fashion firm Hot Topic hit by credential stuffing attacks

Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…

5 hours ago

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

19 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

1 day ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

2 days ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

2 days ago

This website uses cookies.