Researchers at Google and mobile cybersecurity firm Lookout discovered a malicious smartphone application allowing the customers of a “cyber arms dealers” named NSO Group to remotely spy on victims.
A sophisticated piece of spyware is believed to be embedded in a cohort of different espionage apps, enabling the attacker to record a target’s keystrokes, exfiltrate data and listen in on conversations through the device’s compromised microphone.
The malware-laden applications were not available in the Google Play store, leading researchers to believe that targeted downloads were camouflaged and sent to specific victims through phishing emails or SMS messages.
The malware was found on a few dozen Android devices.
Dubbed Chrysaor, researchers believe the code is related Pegasus, another highly complex piece of malware designed to infect Apple’s iOS. Lookout researchers first discovered Pegasus, another product of NSO Group, last year on a prominent Saudi human rights activist’s phone.
“Individual victim identities [for Chrysaor] have not been revealed publicly, but NSO’s customers tend to be ‘lawful intercept’ organizations engaged in surveillance against targeted individuals,” said Lookout vice president of security intelligence Mike Murray. “As we noted back in August, Pegasus is an extremely sophisticated threat sold to nation-states for millions of dollars and is designed for high-value targets including: activists, journalists, government officials and corporate CEOs.”
Samples of Chrysaor date back to 2014 and were originally uncovered in late 2016, an Android Developers blog post explains. Affected victims were contacted by Google and the spyware was removed from their devices. The targets were largely based in two countries, Israel and Georgia.
Chrysaor carries a notable feature that made tracking its real world impact especially challenging: the malware will self-destruct under certain conditions, including if the software at any point loses connection with its command-and-control server. Additionally, the malware is capable of denying certain software updates, dodging forensic tools and avoiding detection.
One Chrysaor sample discovered by Google in Samsung phones, for example, was able to uninstall the manufacturer’s system update app.
Unlike NSO Group’s iOS spyware, Chrysaor doesn’t appear to rely on zero-day vulnerabilities to root the target device and install malware. Instead, the spyware “uses known framaroot exploits to escalate privileges and break Android’s application sandbox,” Android security researchers explained.
“The attackers built in functionality that would … allow it to access and exfiltrate data,” a Lookout blog post about Chrysaor reads, “the failsafe jumps into action if the initial attempt to root the device fails. This means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails.”
After discovering the sophisticated spyware, Google implemented changes to its “Verify Apps” security feature in Android devices in order to protect other users.
Verify Apps works in a manner similar to other security and antivirus solutions by analyzing a large number of different signals to try to identify programs that exhibit potentially harmful behavior. Once that bad behavior is observed Verify Apps will block future installations of the app or simply remove them and warn users about the risk.
Malware authors use a variety of different techniques to try to avoid detection. In this case, the primary avoidance technique was to deploy the spyware at a low volume of installs. Google was able to get a copy of one Chrysaor infected app from Lookout and then extracted a number of different characteristics that allowed them to widely detect the spyware.