Google has discovered a family of sophisticated spyware dubbed as Chrysaor that remained undetected for at least three years due to its smart self-destruction capabilities and targets very small number of devices.
Google said in its own blog post published Monday,”Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,”
“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”
Chrysaor is spyware is believed to be created by NSO Group technologies, who creates and sale software to others includes governments, law enforcement agencies for targeted attacks and it is believed to be related to the Pegasus spyware that was first identified on iOS. Which targets attack against human rights activists in the United Arab Emirates last year.
Chrysaor spyware used for targeting attacks against activists and journalists mostly in Israel, Georgia, Turkey, Mexico, the UAE and other countries.
Lookout researchers reported the suspicious list of packages, after the complaint the Google found dozen Android devices installed with an application related to Pegasus, Pegasus spyware first identified by Lookout and Citizen Lab.
Chrysaor Uses Various Techniques To Collect Users Data:
- Chrysaor uses Data collector to harvest user data which includes SMS settings, SMS messages, Call logs, Browser History, Calendar, Contacts, Emails, and messages from selected messaging apps, including WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype by making /data/data directories of the apps world readable.
- It also uses Android’s ContentObserver framework to harvest changes in SMS, Calendar, Contacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype.
- Screenshot capture via raw frame buffer.
- Keylogging – records every input or keystrokes by hijacking IPCThreadState::Transact from /system/lib/libbinder
- Self-destruct to evade detection
- Live audio capture
- Controlling device remotely from SMS-based commands.
Lookout Security researcher Michael Flossman said,”If it feels like it’s going to be found, it removes itself”.”That’s why it took so long to find these samples.”
Lookout researcher has provided a full analysis of Chrysaor in its PDF report titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.”
How To Protect Yourself:
- Install apps only from verifies sources like Play store.
- Enable a secure lock screen like PIN, pattern or passwords that are hard to guess.
- Ensure Verify Apps is enabled.
- Keep your devices up-to-date by installing the latest security patches.