Chrysaor Malware Found on Android Devices—Here's What You Should Know & How to Protect Yourself
Related to the Pegasus hack that recently affected iPhones, Chrysaor is malware that baits the user into installing it. For instance, let's say you're sideloading an app, but you don't recognize the site where the APK came from, nor do you trust the developer. In this example, there's a chance that it could be a Chrysaor-infected app.
Once installed, a Chrysaor app attempts to root your phone using the Framaroot method, and if that doesn't work, it attempts to use a Superuser binary built into most Android phones to achieve root. After the device has been rooted, Chrysaor has unfettered access to your entire system, so it can monitor your calls, texts, emails, location, microphone, and camera, install a key logger, and effectively spy on you with almost every Android sensor.
According to Lookout Security VP Mike Murray, "This means [Chrysaor] is easier to deploy on devices and has the ability to move laterally if the first attempt to hijack the device fails."
This is much worse than what Chrysaor's malware brother, Pegasus, was able to exploit from iOS users. Pegasus specifically targeted iOS phones, jailbroke the targeted devices, and then installed spyware. If Pegasus couldn't jailbreak the targeted phone, though, then the hack failed, and all was put to bed.
Pegasus's malware brother is also very sneaky. If Chrysaor expects it could be spotted, then the malware uninstalls itself before anyone would suspect it was ever there:
[Chrysaor] will remove itself from the phone if the SIM MCC ID is invalid, an 'antidote' file exists, it has not been able to check in with the servers after 60 days, or it receives a command from the server to remove itself.
As of now, according to Google's press release on the Android malware, "a few dozen Android devices may have installed an application related to Pegasus, which we named Chrysaor."
However, it doesn't look like the Israeli-made malware—rumored to charge over $1 million to infect phones—is going to be a widespread problem. It seems the malware targeted specific phones in Israel, Georgia, Mexico, Turkey, Kenya, and a few other countries outside of the Western world.
Android users are more vulnerable to the spyware than iOS users, though. Chrysaor doesn't require what Lookout calls, "zero-day vulnerabilities to root the target device and install the malware," as was the case with Pegasus. This can be attributed to Android's fragmented update system, where typically only Google-made phones, like the Pixel, receive immediate updates to fix security loopholes when a zero-day vulnerability is discovered.
Google recommends that Android users take caution when downloading apps from unknown sites. At the moment, Google has found no Chrysaor apps on Google Play, which is good news, although the malware is still a looming threat. As such, Google recommends taking these five steps to protect yourself:
- Only install apps from reputable sources, such as the Google Play Store.
- Secure your lock screen with a hard-to-guess password.
- Always keep your device up to date with the latest Android updates.
- Use Verify Apps to check if any of your apps are infected with malware.
- Practice locating your device with Android Device Manager, because, as Google notes, "you are far more likely to lose your device" than to install Chrysoar.