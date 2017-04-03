News

Android version of iOS malware used in targeted attacks discovered

Android version of Pegasus malware for iOS discovered on phones in eleven countries

the complete android n developer course
Credit: StackCommerce
More like this

Researchers at Lookout and Google have identified an Android variant of custom malware originally detected in targeted attacks against iOS last year. Called Pegasus, the malware is used against dissidents in multiple countries, and has full intercept capabilities.

Pegasus was developed for both iOS and Android by NSO Group Technologies. Founded in 2010, NSO Group is an Israeli company specializing in the development and sale of software designed for government surveillance.

Earlier this year, the company was linked to targeted attacks against proponents of Mexico's 2014 soda tax, which the soda industry viewed as a threat to commercial interests in the country. In 2016, when Pegasus was first detected on iOS, the target was Ahmed Mansoor, a human rights activist in the UAE. The iOS attack was detected by Mansoor, who informed researchers at Citizens Lab, who worked with Lookout to investigate the malware.

The Pegasus infection on iOS started with a malicious text message, and leveraged three zero-day vulnerabilities in order to compromise the phone. Once compromised, the malware targets everything on the target's iPhone, including iMessage, calendar, passwords, Gmail, Mail.ru, Viber, Facebook, VK, WhatsApp, Telegram, and Skype.

The Android version of the malware doesn't need zero-day exploits, and performs the same data collection and offers the same function controls as previously observed with iOS including, keylogging, screen captures, and remote control via SMS. Pegasus will also self-destruct if the software senses there is a risk, or if a kill command is issued.

"Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot," Lookout explained.

"In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails."

Google's name for Pegasus is Chrysaor, and the search giant labels it as a PHA or Potentially Harmful Application. The Android creator stated that after some research and with the help of Lookout and Citizens Lab, each of the potentially affected users have been contacted.

Google says they've detected fewer than three dozen (36) installs on victim devices, in Israel, Georgia, Medico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan.

"It is extremely unlikely you or someone you know was affected by Chrysaor malware," Google said.

"Through our investigation, we identified less than 3 dozen devices affected by Chrysaor, we have disabled Chrysaor on those devices, and we have notified users of all known affected devices. Additionally, the improvements we made to our protections have been enabled for all users of our security services."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:

Steve Ragan is senior staff writer at CSO. Prior to joining the journalism world in 2005, Steve spent 15 years as a freelance IT contractor focused on infrastructure management and security.

How much is a data breach going to cost you?
You Might Like
Most Popular
turbotax deal
40% off TurboTax Deluxe 2016 Tax Software Federal & State - Deal Alert

No Tax Knowledge Needed. TurboTax will ask you easy questions to get to know you and fill in all the...

0 intro linkedintroll
Hackers continue to troll LinkedIn

These attacks are becoming more common because it’s easy and inexpensive. Cylance has created some tips...

co alarm
47% off First Alert 10-Year Carbon Monoxide Alarm with Temperature - Deal Alert

Powered by sealed, ten year lithium batteries to provide continuous protection for ten years without...

BrandPosts
Learn more
Popular Resources
Featured Stories
clock and calendar montage
March 2017: The month in hacks and breaches

Voter records, patient data, and CIO hacking tools were among the data stolen last month.

mouse bungee
35% off Airfox Backlit LED Mouse Bungee with Integrated 3-Port USB Hub and

The Airfox Gaming Mouse Bungee is designed to eliminate drag from your mouse cord, giving you the...

Security
UEFI flaws can be exploited to install highly persistent ransomware

A team of researchers from security vendor Cylance demonstrated a proof-of-concept ransomware program...

cable management
60% off YOCOU 5-Channel Cable Management System, 6-piece - Deal Alert

Twisted, tangled cords and wires are an eyesore. Organize your space with this simple 6-piece cable...