Chrysaor is an advanced Android malware believed to be the counterpart to the Pegasus iOS spyware first identified in 2016. In April 2017, Google and Lookout researchers released a report detailing the activity of the newly discovered Chrysaor Android malware family. It was used in a small number of targeted attacks. Google identified three dozen users infected with the malware, all of which were infected by an app installed from a third-party app store. The infected app was likely compiled in 2014, indicating there is likely more victims. The majority of known victims are located in Israel, Georgia, Mexico, and Turkey. 

Chrysaor features include:

  • Keylogging.
  • Answering phone calls and listening in on conversations without user awareness.
  • Taking screenshots of the user's screen.
  • Accessing and viewing the front and rear cameras.
  • Using the ContentObserver framework to gather any updates to apps such as SMS, calendar, contacts, and cell info, email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype.
  • Collecting data on SMS settings, SMS messages, call logs, browser history, calendars, contacts, and emails.
  • Stealing messages from apps such as WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype.
  • Using the alarm functionality to repeat malicious actions at certain intervals.
  • Installing itself in the /system folder to survive factory resets.
  • Sabotaging the phone's self-update features.
  • Disabling WAP push messages to hinder forensics operations.
  • Deleting itself when instructed or when the C2 server goes dormant.

Technical Details

  • Google and Lookout provide technical details of the Chrysaor malware.