How Pegasus for Android was unmasked
- By Matt Leonard
- Apr 12, 2017
When security researchers found an iOS spyware call Pegasus last year they also found material from the group that created it, the Israeli company NSO Group, suggesting there was a similar program for Android. Now they’ve found it.
“We always believed that it existed,” said Mike Murray, the VP of security intelligence at Lookout, a mobile cybersecurity firm that first identified Pegasus. “The real story here is that this software could go under the radar … for so long and manage to hide itself.”
Pegasus for iOS and Pegasus for Android, which the security researchers at Lookout and Google are calling Chrysaor, are similar. Both applications steal the contacts for the device it is installed on, allow access to email and social media accounts and reveal messaging conversations. Additionally, it can turn a phone into a listening device, a feature that NSO refers to as “room tap” in its marketing material, Murray said.
The application was never available in the Google Play store and only landed on devices through phishing efforts, according to Google. Google was able to use data from Verify Apps -- a feature of Android devices that scans applications to check for malware -- to find instances of Chrysaor. It found about three dozen installations across the 1.4 million devices that use Verify Apps.
Numbers from Google show that the largest number of installations of Chrysaor were within Israel, followed by Georgia, Mexico and Turkey. It has contacted the people who were affected by the spyware and is helping them remediate the threat.
Chrysaor is not a tool used against targets selected by NSO. The targets are picked by customers that buy the service. NSO says it sells its spyware to governments that will only use it for legal purposes, but Murray said that doesn’t put many limits on how it could be used.
“However a government uses the software is by definition legal because they are the law,” he said.
To find Chrysaor, Murray said the researchers had to start out by making some assumptions. When an organization like NSO, which relies heavily on stealth and security, finds a tactic that works, it will use it over and over again. So using their knowledge of Pegasus for iOS, security researchers started looking for applications that had file names and software infrastructure that could be consistent with what NSO used for Pegasus.
They found a few applications that seemed to be present only when there appeared to be a likely Pegasus deployment. They eventually uncovered comm.network.android -- the app that allowed this iteration of Chrysaor onto devices.
“It was made to look completely innocuous,” Murray said.
This discovery won’t be the end of programs like Pegasus and Chrysaor. The spyware will just adapt in the ever-evolving “cat and mouse” game of digital security, Murray said.
Matt Leonard is a former reporter for GCN.