Today, Google announced the finding of a new malware for Android. The malware is assumed to be a product of NSO Group, the company that developed the Pegasus malware for iOS, known to sell cyber espionage tools to nation states. Google named the malware Chrysaor (the brother of Pegasus). In this case, Chrysaor can be considered the less talented brother of Pegasus. Learn more about the Pegasus malware here.
While the Pegasus disclosure uncovered three highly sophisticated iOS vulnerabilities that worked cooperatively to Jailbreak, infiltrate and persist on the device, Chrysaor does not present anything new. Chrysaor actually relies on a very old rooting tool, or leverages an existing root, to exercise its full capabilities.
Google shared that variants of the malware were seen on less than 3 dozen devices, none of them in the US or the EU. The distribution is as follows:
Inline image 1
The capabilities of Chrysaor are highly dependent on pre-existing root or successfully rooting the phone on its own, but in case of failure to root some limited functionality also exists.
The full capabilities are:
- Obtaining root on some devices, older than Android 4.3
- Leaking databases of popular communication apps: WhatsApp, Skype, Facebook, Twitter, Gmail, Calendar and more.
- Audio surveillance
- Removing itself on command
As with any exploit , the most important thing for enterprises is that their mobile devices will be protected from exploits, even before they are disclosed and described. The Chrysaor malware uses techniques that Skycure was already protecting against, before this disclosure. Skycure has detected several instances of Chrysaor in the field before today, AND our enterprise users were not affected by any of the samples described, including the ones not made public. All of the variants will be detected when seen by Skycure.
Note: We assume that this discovery has the same origins as the original Pegasus iOS malware, and specific samples were subsequently shared with the same limited number of parties. Today’s announcement indicates that Google has completed their analysis and potentially has added some protections.