Lookout, the cybersecurity company that co-discovered Pegasus and Trident, reported the findings on Monday in conjunction with a blog post from Google, Android's developer. Google has named the spyware Chrysaor, after the brother of the winged horse Pegasus in Greek mythology.
Unlike its iOS-based alter ego, Chrysaor does not exploit zero-day vulnerabilities to compromise devices; Instead, it leverages the well-known rooting technique framaroot to escalate privileges and break Android's application sandbox. Still, it shares the same developer as Pegasus and its capabilities are virtually identical, including keylogging, screenshot capture, live audio capture, remote control of malware via SMS, messaging data exfiltration; browser history exfiltration, email exfiltration from Android's native email client, and collection of contacts and text messages.
"Because so many people worldwide don't patch Android devices... the Android versions [of malware] rely less on zero-day type vulnerabilities," said Mike Murray, VP of security intelligence at Lookout, who told SC Media that attackers do not want to burn their most valuable zero-days unless they absolutely have to.
Chrysaor targets such applications as WhatsApp, Skype, Facebook, Twitter, Gmail and more. It can also remove itself from a device if it fails to detect a valid MCC subscriber ID, in order to avoid running on test devices and emulator devices that are not connected to a network, Lookout explained in a detailed technical analysis.
If the spyware's attempt to root the infected device falls short, Chrysaor has a back-up plan: the malware seeks permissions from the user that would allow it to access and exfiltrate data. "This means Pegasus for Android is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails," Lookout explained.
Chrysaor's developer is NSO Group Technologies, an Israeli company with an alleged gray-hat reputation that sells cyber weapons to governments for state-sponsored activities. Before Apple patched the Trident vulnerabilities exploited by the Pegasus, the iOS malware was reportedly used to target a prominent UAE activist and a Mexican journalist, among other targets.
"Specifically, the products may only be used for the prevention and investigation of crimes," an NSO spokesperson Zamir Dahbash said in a statement last August, according to a Washington Post article.
Once Lookout had concluded its joint project with The Citizen Lab analyzing Pegasus for iOS, it was only common sense to see if there was any validity to NSO Group's business claims that it had a similar Android product. "As soon as we had analyzed the iOS version enough that we were comfortable that we understood the way NSO built their software and did business, [we realized] they probably weren't lying when they said they had an Android version. So we just went looking for it," said Murray, adding that there is likely also a Blackberry version of Pegasus as well.
In the course of their analysis, researchers found the Android version of Pegasus running on phones in Israel, Georgia, Mexico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, the UAE, Ukraine and Uzbekistan. However, the overall tally of affected phones was quite small, Google reported, with only three dozen installs of Chrysaor observed on victims' devices, none of which were the result of downloads from the official Google Play store.
"To install Chrysaor, we believe an attacker coaxed specifically targeted individuals to download the malicious software onto their device," Google blog post stated. "Once Chrysaor is installed, a remote operator is able to surveil the victim's activities on the device and within the vicinity, leveraging microphone, camera, data collection, and logging and tracking application activities on communication apps such as phone and SMS."