Advertisement

Invasive, self-destructing iOS hack is even worse on Android

If it can't root your phone, "Chrysaor" has other ways to steal data.

Getty Images

Security researchers from Google and Lookout are warning Android users about "one of the most sophisticated and targeted mobile attacks we've seen in the wild." Called Chrysaor, it's the sibling of Pegasus, a zero-day iOS exploit that was used to spy on a United Arab Emirates human rights activist. Once installed, attackers are able to spy on calls, texts, and emails, microphone, camera, keylogging, GPS and other user data.

In other words, this is not a hacking tool that was coded by "script kiddy" amateurs. Lookout believes it was developed for government surveillance use by NSO Group, a "cyber war" organization located in Israel that charges over $1 million to infect a phone with malware. (For more on what it can do, see Lookout's paper here.)

There's a big difference between the Android and iOS versions, too. The iOS malware was designed to jailbreak the target device using three known zero-day vulnerabilities and then install malicious software. If the root failed, the attack failed, and back in August, Apple patched those three holes, effectively rendering Pegasus useless.

On Android devices, however, if Chrysaor can't root a device, it uses a failsafe to request permissions that still allow it to steal your data. "This means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails," Lookout Security VP Mike Murray wrote.

The camera, microphone and nearly every other Android phone sensor is vulnerable to Chrysaor

Furthermore, the device is designed to uninstall itself if there's any chance it will be spotted, presumably to let the malware purveyors use it with other clients. "Pegasus for Adroid will remove itself from the phone if the SIM MCC ID is invald, an 'antidote' file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself," Lookout says.

Lookout contacted the Android team after it spotted signs of the Android threat thanks to the work it did on Pegasus for iOS. In total, Google says that "a few dozen Android devices" may have been affected -- mostly in hotspots or war zones like Israel, Georgia, Mexico, Turkey, UAE and Ukraine.

While Chrysaor is not widespread, it represents the bleeding edge of smartphone malware, and Android users are more vulnerable than folks on iOS. Google says its latest security releases should help stop it, and adds that "no Chrysaor apps were on Google Play." As such, it advises Android users to avoid installing apps from sites they don't know.