Android version of iOS malware used in targeted attacks discovered

Researchers at Lookout and Google have identified an Android variant of custom malware originally detected in targeted attacks against iOS last year. Called Pegasus, the malware is used against dissidents in multiple countries, and has full intercept capabilities.

Pegasus was developed for both iOS and Android by NSO Group Technologies. Founded in 2010, NSO Group is an Israeli company specializing in the development and sale of software designed for government surveillance.

Earlier this year, the company was linked to targeted attacks against proponents of Mexico’s 2014 soda tax, which the soda industry viewed as a threat to commercial interests in the country. In 2016, when Pegasus was first detected on iOS, the target was Ahmed Mansoor, a human rights activist in the UAE. The iOS attack was detected by Mansoor, who informed researchers at Citizens Lab, who worked with Lookout to investigate the malware.

The Pegasus infection on iOS started with a malicious text message, and leveraged three zero-day vulnerabilities in order to compromise the phone. Once compromised, the malware targets everything on the target’s iPhone, including iMessage, calendar, passwords, Gmail, Mail.ru, Viber, Facebook, VK, WhatsApp, Telegram, and Skype.

The Android version of the malware doesn’t need zero-day exploits, and performs the same data collection and offers the same function controls as previously observed with iOS including, keylogging, screen captures, and remote control via SMS. Pegasus will also self-destruct if the software senses there is a risk, or if a kill command is issued.

“Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot,” Lookout explained.

“In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The failsafe jumps into action if the initial attempt to root the device fails.”

Google’s name for Pegasus is Chrysaor, and the search giant labels it as a PHA or Potentially Harmful Application. The Android creator stated that after some research and with the help of Lookout and Citizens Lab, each of the potentially affected users have been contacted.

Google says they’ve detected fewer than three dozen (36) installs on victim devices, in Israel, Georgia, Medico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan.

“It is extremely unlikely you or someone you know was affected by Chrysaor malware,” Google said.

“Through our investigation, we identified less than 3 dozen devices affected by Chrysaor, we have disabled Chrysaor on those devices, and we have notified users of all known affected devices. Additionally, the improvements we made to our protections have been enabled for all users of our security services.”