Google discovers undetected Android Spyware

An Android version of one of the most sophisticated mobile spyware has been discovered that remained undetected for at least three years due to its smart self-destruction capabilities.

Dubbed Chrysaor, the Android spyware has been used in targeted attacks against activists and journalists mostly in Israel, but also in Georgia, Turkey, Mexico, the UAE and other countries.

Chrysaor espionage malware, uncovered by researchers at Lookout and Google, is believed to be created by the same Israeli surveillance firm NSO Group Technologies, who was behind the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates last year.

NSO Group Technologies is believed to produce the most advanced mobile spyware on the planet and sold them to governments, law enforcement agencies worldwide, as well as dictatorial regimes.

The newly discovered Chrysaor spyware has been found installed on fewer than three-dozen Android devices, although researchers believe that there were more victims before its detection, who most likely have either formatted or upgraded their phones.
 

"Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps," Google said in its own blog post published Monday. 

"We've contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users."

Just like Pegasus for iOS, the newly discovered Chrysaor for Android also offers a wide array of spying functions, including:
 

  • Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
  • Controlling device remotely from SMS-based commands.
  • Recording Live audio and video.
  • Keylogging and Screenshot capture.
  • Disabling of system updates to prevent vulnerability patching.
  • Spying on contacts, text messages, emails and browser history.
  • Self-destruct to evade detection

"If it feels like it's going to be found, it removes itself," said Lookout Security researcher Michael Flossman. "That's why it took so long to find these samples."

Researchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.

While Pegasus leveraged three then-zero day vulnerabilities in Apple's iOS operating system to jailbreak the targeted iOS devices, Chrysaor uses a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the operating system.

Since Chrysaor dates back to 2014, there are possibilities that NSO group might have discovered zero-day vulnerabilities in Android and deployed them on the latest version of Chrysaor for Android, Lookout warned.

Lookout has also provided full, technical details on Chrysaor in its report [PDF] titled "Pegasus for Android: Technical Analysis and Findings of Chrysaor." So, you can head on to the link for a more detailed explanation on the malware.

How to Protect your Android device from Hackers? Google recommends users to install apps only from reputable sources, protect your device with pin or password lock, enable ‘verify apps’ feature from settings, and obviously, keep your device always up-to-date with the latest security patches.