The malware records live audio by initiating a call with its C2 server.
The malware records live audio by initiating a call with its C2 server.

The recently uncovered Chrysaor spyware tool has an amazingly complex and stealthy way to record audio that is able to fly under the user's radar.

Check Point dug a bit deeper into Chrysaor to see how it pulls off this trick after it was revealed earlier this week that the malware had been ported over for use on the Android platform from iOS.

What the researchers found that once the malware is ensconced on a phone, usually through the use of a zero-day or tailor-made social engineering scheme, it calls back to its command and control server. The server then calls the phone, but the call is intercepted by the malware and the call is hidden from the device's owner using an overlay window and answers the call through the phone's Itelephony API.

The “conversation” between the malware and the command and control server is then muted and it blocks the media button as two extra layers of security.

“The remarkable sophistication and detail the malware uses to operate demonstrate the complexity and challenges mobile malware presents to a defender. The malware's authors made the utmost effort to keep the malware hidden from the user's eye and to draw no attention, while simultaneously exploiting his device to the extreme extent,” the Check Point research team wrote.

The team also believes this technology will soon be found on other types of malware.