Google has detected Chrysaor, the Android version of the infamous Pegasus iOS spyware. It is believed to have been infecting devices for three years while avoiding detection, the company wrote on its blog. Infection was caused by installation of an app from a third-party store; Google Play did not have infected applications for download.
Pegasus, the most advanced surveillance tool sold by NSO Group, exploited three unpatched zero-day vulnerabilities in iOS and was detected last August when it targeted Mexican journalist and UAE activist Rafael Cabrera.
Chrysaor shares many of Pegasus’ features, but comes with added specs; it collects all data associated with SMS settings, SMS messages, call logs, browser history, calendar, contacts, emails, and messages from messaging apps and social networks, captures screenshots, answers calls and allows the caller to hear conversations in the background, and self-destructs in case of detection.
These features allowed the hacker to monitor and steal all activity on the device and in its proximity. Not many devices were infected as Chrysaor was “used in a targeted attack on a small number of Android devices,” Google said. Most targets were in Israel, but individuals in Georgia, Mexico, Turkey and the UAE, among others, were also targeted.
The spyware was designed to target devices running Jellybean (4.3) or earlier, one sample analyzed by Google revealed.
“Upon installation, the app uses known framaroot exploits to escalate privileges and break Android’s application sandbox. If the targeted device is not vulnerable to these exploits, then the app attempts to use a super user binary pre-positioned at /system/csk to elevate privileges,” Google said.
NSO Group Technologies is a controversial Israeli company that develops and sells surveillance software that has been used against journalists and human rights activists. In 2012 the Mexican government confirmed signing a $20 million contract with NSO Group.