Chrysaor is a surveillance application designed for use in targeted attacks, likely developed by the NSO Group. It was reported on April 3, 2017 by Google and Lookout, who released a technical analysis (calling it “Pegasus for Android”).
From the way Chrysaor is designed, we believe that it is sent directly to users with phishing-style messages, similar to the way Citizen Lab reports that Pegasus was deployed. Unlike Pegasus, it appears that the user must choose to install the app for it to work. Once on a device, it will attempt to root the device and install itself in a location that will persist across device factory resets. Even if it is not successful in compromising the device, Chrysaor will still perform some malicious functions, unlike Pegasus which requires a remote jailbreak to install.
When a user installs Chrysaor on their device, it will harvest information and send it back to a command and control server. This includes user data such as emails and SMSes, call logs, contacts, and browser history, and messages from popular apps including Facebook, Twitter, and WhatsApp. It can also take screenshots, record keyboard use, and provide a “room tap” by answering a phone call with no indication to the user that the call is happening.
Very few samples of Chrysaor have been seen in the wild, and none have been discovered on Appthority customers’ devices. It has never been on the Play Store. Google reports that their Verify Apps service, which runs on 1.4 billion devices, has seen fewer than three dozen installs of the malicious app. Additionally, a majority of these installs are from Israel, where NSO Group is headquartered, and are likely installations on NSO Group test devices. Other countries where Chrysaor was found include Georgia, Mexico, Turkey, Kenya, Kyrgyzstan, Nigeria, Tanzania, UAE, Ukraine, and Uzbekistan.
While some articles in the media are reporting Chrysaor as very dangerous and sophisticated, the technical details released tell a different story. The discovered apps are from 2014 and only use exploits from the public Framaroot collection. While some functionality is interesting, such as uninstalling itself if it is not working properly and out of band configuration over SMS, it is still a lower risk due to the need for a user to take action to install it.
Appthority customers can ensure protection against the Chrysaor threat by including the new behavior ‘Infected by Chrysaor’ in your organization’s Appthority App Policies within the Appthority portal. Please refer to our Appthority support article to begin using the new ‘Infected by Chrysaor’ behavior.
Two additional best practices we also recommend are that users keep their devices up to date with the latest security patches, and only install apps from trustworthy sources. Because Chrysaor does not use remote exploits for installation, disabling installation of third-party (sideloaded) apps will prevent it from being installed.