A combined inquisition of cyber researchers from Google and Lookout have detected a new Android incarnation of the malware which is called Pegasus and is considered “one of the most sophisticated and targeted mobile attacks” ever. Publically disclosed past summer, Pegasus was previously used exclusively on iOS. It was developed by the infamous “cyber arms dealer” NSO Group to surveil iPhones which belong to Middle Eastern dissidents, activists and journalists. Created in 2010 by entrepreneurs Shalev Hulio and Omri Lavie, NSO Group is an Israeli company, which specializes in the development and sale of government monitoring programs. This organization also charges people to hack phones – according to Engadget, the asking price is no less than 1 million dollars. Earlier it was connected to malware attacks against supporters of Mexico’s 2014 soda tax, which was seen as a threat to the country’s commercial interests. In 2016, when Pegasus was found on iOS for the first time, its victim was Ahmed Mansoor, a human rights activist from Emirates. Mansoor tipped off the Citizens Lab workers who investigated the virus together with Lookout.
The Pegasus infection tends to start with harmful text messages and then this virus exploites three different iOS weaknesses, combinely known as Trident, to let the hackers to remotely jailbreak targets’ iPhones and install spyware that tracks all actions on the devices. The virus compromises practically everything on the victim’s iPhone, including calendar, passwords, Skype, Gmail, Mail.ru, Facebook, VK, Viber, iMessage, Telegram and WhatsApp. This discovery compelled Apple to release a security fix for iPads and iPhones.
Research team from Lookout claims that the spyware has now migrated to Android devices mostly in hotspots or war zones like the UAE, Israel, Turkey, Mexico, Kenya, Nigeria, Tanzania, Ukraine, Georgia, Kyrgyzstan and Uzbekistan, and it may turn out more dangerous here. At the end of 2016, when Lookout sent Google an index of suspicious package names, Google team found out that several Android devices possibly have installed an app similar to Pegasus. Google named it Chrysaor after the brother of the flying horse Pegasus, the son of Poseidon and the Gorgon Medusa. Though the apps weren’t available in Google Play, Google researchers used Verify Apps and managed to instantly identify the problem. Google noted that the devices could only be affected, if users were convinced to install harmful apps from the sources they don’t trust, but it still made contact with all possibly infected targets, disabled all apps on compromised devices and made improvements in Verify Apps for the sake of security.
According to Google “one representative sample” of Chrysaor was studied and it was determined that it’s “tailored to devices running Jellybean (4.3) or earlier.” Such Android versions constitute 12.6% or about 176 million of currently working devices.
Chrysaor worked in a very clever way. First, it inserted itself into a single application downloaded by a victim. The harmful app requested seemingly innocent permissions and used them to install other apps with similar functions. As a result the whole system became vulnerable. And if Chrysaor was compromised or under the threat of detection or received an order from the server to destroy itself, it would self-delete without trace from the target’s device.
Google and Lookout explained that the Pegasus is very versatile and might be used for key-logging, to take screenshots or live audio and grab messages and call records from browsers, messaging applications, email and contacts. It’s even capable of controlling the phones’ cameras and microphones. The Android variation contains new tricks not present in the iOS variation and as a result is easier to use. Chrysaor doesn’t need any zero-day weaknesses to root the targeted devices and install the virus. Instead of that, the threat deploys a commonly known rooting method named Framaroot. If the zero-day attack of Pegasus didn’t succeed in jailbreaking the iOS, the whole sequence of attack was a failure. But in such a case Chrysaor has a failsafe and can still ask for permission that then allows it to acquire access to the needed information and withdraw it.
However, even though it’s easier to work with, Chrysaor doesn’t seem to be common. Google claimed it noticed fewer than 36 installations in the 1.4 billion devices serviced by Google Play and Verify Apps.