Chrysaor: new surveillance malware spotted on Android devices

The development of potentially harmful applications for Android devices has reached a new peak. Hundreds of untrustworthy applications are released every day, but, as malware analysts have observed, not all of them have a goal to affect as many computers as possible. Threats targeting only a small number of devices exist too despite their developers’ efforts and time put into their development – this is called a targeted attack. Chrysaor is one of the newest potentially harmful applications engaged in the targeted attack on devices with the Android OS. Specialists generally refer to it as a potentially harmful application, but, as recent research has revealed, it is nothing more than spyware (software aiming to gather information about users). It is believed to be released by NSO Group Technologies and, according to researchers who have analyzed it, it seems to be a variant of Pegasus, which is yet another surveillance software first detected on devices running certain versions of iOS. Frankly speaking, there was not much known about Chrysaor until malware analysts gathered information from affected devices and carried out thorough research. Now they know everything about it.

Chrysaor is only used in the so-called targeted attack, so it is not available in Google Play. As a consequence, it is not spread on a massive, large-scale rate. Because of this, it has affected a small number of devices thus far. Analysts have detected no more than 3 dozen installs of Chrysaor on Android devices, which is a really small number if compared to infection rates of popular potentially harmful applications. These affected devices are located in Israel, Georgia, Mexico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan. Although it has managed to affect devices located in several different countries, its working scheme is the same in all the cases. Specific individuals are first persuaded into downloading this malicious application on their devices. After the successful installation, it attempts to root the Android device by using the Framaroot (a universal root method working on most devices with the Android OS) method. In case this does not work, malware tries out the pre-positioned Superuser binary. Once the device is rooted, Chrysaor protects itself and starts working as typical spyware, i.e. it starts collecting data. It is capable of finding out what victims do on affected devices, collecting their data, accessing microphone and camera, and, finally, reaching device’s Phone and SMS. To make sure that it can stay on the device and perform activities uninterrupted, Chrysaor disables auto-updates, removes the system update app on Samsung devices, and, last but not least, deletes WAP push messages and changes WAP message settings. On top of that, as researchers have observed, it can get onto the /system partition to stay on the affected device and continue its surveillance after the factory reset. Evidently, Chrysaor is sophisticated spyware.

Spyware is one of the most common types of malware, but Chrysaor, without a doubt, is not like other programs which fall into this category. It differs from them in a sense that it employs 6 techniques to collect data. These are the following: repeated commands (periodically repeats certain actions on the device), data collectors (they are used in conjunction with repeated commands to gather SMS messages, call logs, browser history, contact, emails, etc.), content observers (the framework ContentObserver belonging to Android is used), screenshots (captures screenshots behind the user’s back), keylogging (performs the action of logging input), and RoomTap (a technique allowing malware to answer telephone calls and stay connected). If something goes wrong, e.g. Chrysaor can no longer reach its server or there is a chance that it will be detected, it can remove itself from devices without leaving any traces, which proves again that its detection might be complicated.

Although Chrysaor cannot be called a prevalent malicious application, and the possibility to get infected with it is quite low, Android OS users should still be cautious because this spyware is a looming threat. First of all, according to security experts, they should download all apps from reputable sources ONLY, e.g. Google Play. The content of this source is monitored, so malware rarely manages to appear there. Second, it is recommended to set a screen lock. Third, devices should be updated periodically to get the latest security patches. Finally, the Verify Apps feature, which can help to avoid harmful apps, should be enabled on all Android devices. Fortunately, the infection rate of this spyware is not high, so there is almost a 0% chance to discover it on the Android-powered device.

Leave a Comment

Enter the numbers in the box to the right *