Posted by Rich Cannings, Jason Woloz, Neel Mehta, Ken Bodzak, Wentao Chang, Megan Ruthven

Google is constantly working to improve our systems that protect users fromPotentiallyHarmful Applications (PHAs). Usually, PHA authors attempt to install theirharmful apps on as many devices as possible. However, a few PHA authors spendsubstantial effort, time, and money to create and install their harmful app onone or a very small number of devices. This is known as atargeted attack.

In this blog post, we describe Chrysaor, a newly discovered family of spywarethat was used in a targeted attack on a small number of Android devices, and howinvestigations like this help Google protect Android users from a variety ofthreats.

What is Chrysaor?

Chrysaor is spyware believed to be created byNSO Group Technologies,specializing in the creation and sale of software and infrastructure fortargeted attacks. Chrysaor is believed to be related to the Pegasus spyware thatwasfirstidentified on iOS and analyzed byCitizenLab andLookout.

Late last year, after receiving a list of suspicious package names from Lookout,we discovered that a few dozen Android devices may have installed an applicationrelated to Pegasus, which we named Chrysaor. Although the applications werenever available in Google Play, we immediately identified the scope of theproblem by usingVerify Apps. We gathered information from affected devices, and concurrently, attempted toacquire Chrysaor apps to better understand its impact on users. We've contactedthe potentially affected users, disabled the applications on affected devices,and implemented changes in Verify Apps to protect all users.

What is the scope of Chrysaor?

Chrysaor was never available in Google Play and had a very low volume ofinstalls outside of Google Play. Among the over 1.4 billion devices protected byVerify Apps, we observed fewer than 3 dozen installs of Chrysaor on victimdevices. These devices were located in the following countries:

How we protect you

To protect Android devices and users, Google Play provides a complete set ofsecurity services that update outside of platform releases. Users don't have toinstall any additional security services to keep their devices safe. In 2016,these services protected over 1.4 billion devices, making Google one of thelargest providers of on-device security services in the world:

• IdentifyPHAs using people, systems in the cloud, and data sent to us from devices
• Warn usersabout or blocking users from installing PHAs
• Continuallyscan devices for PHAs and other harmful threats

Additionally, we are providing detailed technical information to help thesecurity industry in our collective work against PHAs.

What do I need to do?

It is extremely unlikely you or someone you know was affected by Chrysaormalware. Through our investigation, we identified less than 3 dozen devicesaffected by Chrysaor, we have disabled Chrysaor on those devices, and we havenotified users of all known affected devices. Additionally, the improvements wemade to our protections have been enabled for all users of our securityservices.
To ensure you are fully protected against PHAs and other threats, we recommendthese 5 basic steps:

• Install apps only from reputable sources:Install apps froma reputable source, such asGoogle Play. NoChrysaor apps were on Google Play.
• Enable asecure lock screen: Pick a PIN, pattern, or password that is easyfor you to remember and hard for others to guess.
• Updateyour device: Keep your device up-to-date with the latest securitypatches.
• VerifyApps: Ensure Verify Apps is enabled.
• Locate your device: Practice finding your device withAndroid Device Managerbecause you are far more likely to lose your device than install aPHA.

How does Chrysaor work?

To install Chrysaor, we believe an attacker coaxed specifically targetedindividuals to download the malicious software onto their device. Once Chrysaoris installed, a remote operator is able to surveil the victim's activities onthe device and within the vicinity, leveraging microphone, camera, datacollection, and logging and tracking application activities on communicationapps such as phone and SMS.

One representative sample Chrysaor app that we analyzed was tailored to devicesrunning Jellybean (4.3) or earlier. The following is a review of scope andimpact of the Chrysaor app namedcom.network.androidtailored for aSamsung device target, with SHA256 digest:

ade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5

Upon installation, the app uses known framaroot exploits to escalate privilegesand break Android's application sandbox. If the targeted device is notvulnerable to these exploits, then the app attempts to use a superuser binarypre-positioned at/system/csk to elevate privileges.

After escalating privileges, the app immediately protects itself and starts tocollect data, by:

• Installing itself on the /system partition to persist acrossfactory resets
• Removing Samsung's system update app(com.sec.android.fotaclient) and disabling auto-updates to maintainpersistence (setsSettings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0)
• Deleting WAP push messages and changing WAP message settings, possibly foranti-forensic purpose.
• Starting content observers and the main task loop to receive remote commandsand exfiltrate data

The app uses six techniques to collect user data:

• Repeated commands: use alarms to periodically repeatactions on the device to expose data, including gathering location data.
• Data collectors: dump all existing content on the deviceinto a queue. Data collectors are used in conjunction with repeated commands tocollect user data including, SMS settings, SMS messages, Call logs, BrowserHistory, Calendar, Contacts, Emails, and messages from selected messaging apps,including WhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype by making/data/data directories of the apps world readable.
• Content observers: use Android'sContentObserverframework to gather changes in SMS, Calendar, Contacts, Cell info, Email,WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype.
• Screenshots: captures an image of the current screen viathe raw frame buffer.
• Keylogging: record input events by hookingIPCThreadState::Transact from/system/lib/libbinder.so, and intercepting android::parcel with theinterfacecom.android.internal.view.IInputContext.
• RoomTap: silently answers a telephone call and staysconnected in the background, allowing the caller to hear conversations withinthe range of the phone's microphone. If the user unlocks their device, they willsee a black screen while the app drops the call, resets call settings andprepares for the user to interact with the device normally.

Finally, the app can remove itself through three ways:

• Via a command from the server
• Autoremove if the device has not been able to check in to the server after60 days
• Via an antidote file. If/sdcard/MemosForNotes was present onthe device, the Chrysaor app removes itself from the device.

Samples uploaded to VirusTotal