Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Android Chrysaor spyware went undetected for years

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author. Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its […]

Android Chrysaor spyware went undetected for years

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.

Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.

The Chrysaor Android spyware implements several features including:

  • Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
  • Controlling device remotely from SMS-based commands.
  • Recording Live audio and video.
  • Keylogging and Screenshot capture.
  • Disabling of system updates to prevent vulnerability patching.
  • Spying on contacts, text messages, emails and browser history.
  • Self-destruct to evade detection
chrysaor spyware

The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.

“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.

“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”

The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.

“Pegasus for Android will remove itself from the phone if:

  • The SIM MCC ID is invalid
  • An “antidote” file exists
  • It has not been able to check in with the servers after 60 days
  • It receives a command from the server to remove itself
    rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.

Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.

The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.

Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Chrysaor spyware , surveillance)