A version of the infamous Pegasus is found targeting Android users

by Jake Doevan - -

It is said that a version of the infamous Pegasus spyware was detected trying to infect Android devices. Pegasus surveillance software enables third parties to exfiltrate information, access emails, take screenshots and record audio files from infected Android devices.[1]


In addition, Google together with the Lookout Security Intelligence team detected malware called Chrysaor. Chrysaor, like Pegasus, is a very complex piece of malware which is highly used to implement progressive spying tasks.

The research team disclosed that the spyware was potentially established by NSO Group Technologies, an Israel-based company which deals with cyberarms.

“Pegasus for Android is an example of the common feature-set that we see from nation states and nation state-like groups,” a technical analysis by Lookout Security states. It also adds that “these groups produce advanced persistent threats for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world”.

Google provided its own analysis where it is said that the Chrysaor malware had only been downloaded on less than 30 devices. In addition, Chrysaor wasn’t available in the Google Play store, and didn’t have a high volume of downloads from other sources.

In contrast, Pegasus applied Trident (three Apple iOS zero days), while Chrysaor does not utilize any vulnerabilities. Google provides information that cyber criminals attempt to attract a certain group of targeted consumers to install the malware.[2]

According to Google, “Once Chrysaor is installed, a remote operator is able to surveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS”.

Lookout Security Intelligence noted that Chrysaor, similar to its iOS counterpart, shares the capability to exfiltrate information from WhatsApp, Viber, Skype and other apps.

Additionally, a sample of the mentioned malware Google tested was adapted to Android operating system running the JellyBean (4.3) or prior software.

Just after the app is installed, it consumes Framaroot rooting methods in order to find security gaps. Furthermore, the attackers increase authorization and crack the sandbox of the Android’s app. Google adds that “If the targeted device is not vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to elevate privileges”. 

When there is a possibility of being detected, Chrysaor is trained to uninstall itself. “Pegasus for Android will remove itself from the phone if the SIM MCC ID is invalid, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself,” is stated by Lookout.

Moreover, Lookout started to search Pegasus for Android just before it was found out that NSO Group was assumed to be behind its realization. The firm was also accused of distributing surveillance software for infiltrating smart devices.

According to the Lookout report, “Immediately upon discovery of the iOS version of Pegasus, Lookout’s team of intelligence analysts and data scientists began hunting down Pegasus for Android via a combination of automated and manual analysis of (telemetry data)”.

Chrysaor was linked to Pegasus just after an investigation of menace intelligence. Many similarities of these malware features were disclosed that suggested a connection between mentioned spyware. After Lookout Security Intelligence provided its findings to Google, the joint research was started.

The spyware family was named Chrysaor by Google, just after the reveal of the findings – in Greek Mythology, Pegasus’ brother is Chrysaor.

In order to keep smart devices safe and protect them from Chrysaor or any other malware, consumers should download all applications from verified and reputable developers, ensure that the device is updated, verified apps are enabled and the secure lock is on, Google advises its customers.

About the author

Jake Doevan
Jake Doevan - Computer security guru

Jake Doe is a security expert and news editor of Reviewedbypro.com. His major is Communication and Journalism, which he obtained from the Washington and Jefferson College.

Contact Jake Doevan
About the company Esolutions


now online
Like us on Facebook