Apple iOS Pegasus malware turns-up on Android

Malware created by a cyber-arms dealer, claims Lookout Security

The Pegasus iOS malware has turned up on Android, according to Lookout Security, which has published a research paper on the malware it has christened 'Chrysaor'.

Lookout Security says that it is a sophisticated piece of malware weaponry and claims that it was created and sold by what it describes as a cyber arms dealer. In the Apple iOS world, the tool can be used to remotely jailbreak a phone, among other things.

"The security intelligence teams at Google and Lookout collaborated to discover and track Pegasus as it exists on the Android platform (aka Chrysaor) in order to roll out protection for Android users," wrote LookOut in its report.

"This investigation originated with the Lookout August report and led to all Android users being protected against this threat. On the Android platform, the Pegasus software has many of the same features that we described in the original Lookout report [on iOS Pegasus]."

The malware is able to capture a wide range of information from Google, such as email, as well as data from WhatsApp, Facebook and Twitter. It can also screengrab and has the ability to keylog and record audio. It is everything a government spy agency might want, in other words.

"Pegasus for Android is an example of the common feature-set that we see from nation states and nation-state-like groups. These groups produce advanced persistent threats (APT) for mobile with the specific goal of tracking a target not only in the physical world, but also the virtual world….," the report warns.

It continues: "Pegasus is highly advanced in its stealth, its use of exploits, its code obfuscation, and its encryption. It has a broad surveillanceware feature set."

Google has written its own blog on the malware, making clear that the app route of infection was never enabled by any listing on the Play store, and that it has already conducted a sweep on anything resembling the malware.

It also suggests that Pegasus, or Chrysaor, was created by the shady NSO Group Technologies outfit.

"Google is constantly working to improve our systems that protect users from Potentially Harmful Applications (PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on one or a very small number of devices," it explains.

"This is known as a targeted attack. Chrysaor was never available in Google Play and had a very low volume of installs outside of Google Play. Among the over 1.4 billion devices protected by Verify Apps, we observed fewer than three dozen installs of Chrysaor on victim devices."