Android beware: State-backed Pegasus spyware is found using phones to eavesdrop and grab data

Malware previously used to spy on activists using iPhones is now also targeting Android handsets, according to a Lookout and Google investigation.
Written by Danny Palmer, Senior Writer

VIDEO-Pegasus: Most sophisticated mobile spyware returns with Android version

A new version of one of the most sophisticated forms of mobile spyware has been discovered, and this time it's being used to spy on Android users.

Made public last summer, the Pegasus mobile spyware was used by a nation state to monitor iPhones belonging to activists in the Middle East. The spyware uses three separate iOS vulnerabilities, collectively known as Trident, to allow an attacker to remotely jailbreak a target's iPhone and install spyware capable of tracking every action on the device.

The discovery of the malware, built by the notorious "cyber arms dealer" NSO Group, forced Apple to release a security fix for iPhones and iPads in order to protect users.

But that wasn't enough to put off cyber spies and state-backed actors: a joint investigation by cybersecurity researchers at Lookout and Google has now uncovered an Android version of Pegasus.

Google has dubbed the spyware Chrysaor, naming the Android version of the threat after the brother of Pegasus. Chrysaor has been targeting individuals, predominantly in Israel but also in Georgia, Mexico, Turkey, the UAE, and more. About three dozen specifically-selected individuals have been targeted.

The Android version of the espionage tool performs similar spying functions to its iOS counterpart, allowing those using it to capture keylogs, images, and live audio as well as monitor and extract data from apps including texts, emails, WhatsApp, Skype, Facebook and Twitter, exfiltrate browser history, and gain access to contacts.

Like its iOS counterpart, Chrysaor will also self-destruct if feels it is at risk: Pegasus for Android will remove itself from the phone of the compromised target. Mike Murray, CP of security intelligence at Lookout, says the malware is "built to be stealthy, targeted, and is very sophisticated".

However, there are differences between the iOS and Android versions of Pegasus, with Lookout noting that there's no use of anything like the Trident zero-day vulnerabilities that compromised iOS.

Instead, Chrysaor harnesses a rooting technique called Framaroot, which allows the attackers to remotely jailbreak the device and gain permissions enabling them to access and exfiltrate data. Users become infected with the malware after being coaxed into installing it onto the device through advanced phishing techniques.

Ultimately, that means that Pegasus for Android is easier to deploy on devices than its iOS counterpart was.

Working alongside Lookout, Google has notified potential targets about the Chrysaor threat, disabled the malware and provided them with information about removing it.

Lookout has published its research into the malware in a report entitled Pegasus for Android: Technical Analysis and Findings of Chrysaor.

While this threat has been uncovered and potential victims issued with advice on how to remove Chrysaor, Lookout has warned that the high proliferation of mobile devices means spies, criminals, and states continue to target handsets to covertly gain information.

"Sophisticated threat actors are targeting mobile for the same reasons these devices have become ubiquitous in our personal and professional lives. The communication and data-access features, the trust users put in their devices, and the prevalence of these devices mean they also have become an effective espionage tool that well-funded attackers will continue to target", the company said.

Indeed, Lookout recently detailed how hackers are using social engineering to distribute malware for the purposes of spying on Israeli military personnel.


Editorial standards