The latest findings on Chrysaor (Pegasus for Android) are even more stealthy

Earlier this week Google published a research about a new sophisticated spyware tool for Android, believed to be related to the Pegasus malware for iOS, which was discovered in August 2016. As Google wrote in their blog, the malware was most likely created by the authors of Pegasus – the NSO group, and shares many common features as Pegasus.

What’s the big news?

Chrysaor is a fully developed spy tool for Android devices, and can allow attackers to surveil their targets’ every move. Chrysaor has implemented elaborate modules to listen in on conversations, take screenshots and surveil the device’s surroundings, steal sensitive data and read SMS messages. This malware presents a unique opportunity to understand the full scope of actions which can turn your phone into the perfect surveillance tool.

First thing’s first – infection & exploitation

According to Google, the attackers use elaborate tailor-made social engineering scams to infect users with the malware, and grant it the necessary permissions. However, it is likely that such an advanced threat also employed zero-day exploits which have yet to be uncovered. Once installed on a device, Chrysaor attempts to root it to achieve full control over it. In the samples discovered so far, the malware uses an ordinary exploit kit called “Framaroot,” which is also used by low-level malware in the wild. This is a significant divergence from the iOS version of the malware, which used dedicated zero-day exploits as part of its operation. This is another indication to the strong connection between mobile malware developed by threat actors from different origins. As we wrote after the Vault 7 leak, users and organizations should watch out for the most sophisticated threats out there.

How Chrysaor records live audio without alerting the user?

 One of the most interesting features in Chrysaor’s operation is the live audio recording, a feat which requires the attackers to overcome considerable challenges. Check Point researchers expanded the investigation and revealed an additional layer of the malware’s audio recording operation. Once its preconditions for audio surveillance are met, the malware notifies its command and control server, which then initiates a call to the device. The malware then intercepts the call and checks if the incoming number matches the necessary settings. If the answer is yes, it hides the call with an overlay window, and then answers it, using the headset or the ITelephony API. Chrysaor then continues to mute the conversation and blocks the media button to ensure the user will remain unaware to the James Bond operation happening under the surface.

The remarkable sophistication and detail the malware uses to operate demonstrate the complexity and challenges mobile malware presents to a defender. The malware’s authors made the utmost effort to keep the malware hidden from the user’s eye and to draw no attention, while simultaneously exploiting his device to the extreme extent. As happened with previous malware, we have no doubt these elaborate tactics will soon be copied by ordinary malware in the wild. This is yet another proof that users and organizations must take mobile threats seriously, and implement advanced security measures capable of detecting and blocking zero-day exploits and top tier malware.

Check Point users are protected from this threat

Check Point’s Mobile Threat Prevention detected and blocked this malware on its first attempt, proving once again it is the best defense for your mobile device, against both regular and extraordinary malware. For more information, visit