Pegasus malware, originally a threat to only iOS devices, has expanded its capabilities to infect Android devices,...
as well. The Android variant of the malware can be used to spy on user devices by capturing screenshots, keystrokes and audio, as well as to steal data from messages. How is the Android Pegasus variant different from the iOS version, and what should users know about it?
In 2016, mobile security vendor Lookout Inc., working with The Citizen Lab at the University of Toronto, published research about a highly sophisticated, targeted and persistent mobile attack against devices running iOS called Pegasus. Believed to be created by a cyber arms dealer called NSO Group Technologies, Pegasus malware has sophisticated mobile spyware capabilities and was being actively used to target various groups and individuals.
Lookout and Google have now uncovered a version of the Pegasus malware that can compromise Android devices after detecting signals of anomalous Android applications running on phones in Israel, Georgia, Mexico, Turkey, Kenya and six other countries.
Pegasus malware for Android -- which Google refers to as Chrysaor -- has similar spying functionality as Pegasus malware for iOS, including keylogging, screenshot and live audio capture, contacts messaging, and browser history exfiltration. The attackers can control the malware remotely via text message, and the program will remove itself from the phone if it feels it is at risk of detection.
The big difference between the two versions is that it's easier to deploy Pegasus malware for Android on a victim's device. Pegasus for iOS needed three zero-day vulnerabilities to jailbreak, install and run on the target device. If the attack failed to jailbreak the device, the attack was halted.
Pegasus for Android does not require zero-day vulnerabilities, as it uses a rooting technique called Framaroot to escalate privileges and break Android's application sandbox. Even if this attack vector fails, Pegasus can ask for permissions that would allow it to access and exfiltrate data.
Chrysaor was never available in the Google Play store, and Google has found fewer than three dozen installs. It has sent a notification to potential targets with information about remediating the threat. It has also implemented changes in Verify Apps, the on-device scanner included in Google Play services to protect users, which is enabled by default.
This particular threat shows just how sophisticated and stealthy mobile malware can be. It highlights the importance of only ever installing apps from reputable sources, such as the Google Play store and other official app stores. Google believes the attacker coaxed specifically targeted individuals to download the malicious software onto their device.
Like any device running software, mobile devices need to be kept up to date with the latest security patches. Other sensible measures include changing the lock screen PIN, pattern or password to something that is hard for others to guess, as well as double checking that Verify Apps is enabled.
Finally, if anyone thinks they may have been targeted by either Pegasus malware for Android or iOS, then they should contact either Lookout or Google.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)
Learn more about how Pegasus malware works
Find out how difficult Android malware delivery is
Check out the findings of an investigation into Android malware detection
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Michael Cobb
Expert Michael Cobb details how to argue for a multistep secure code review process, like Microsoft SDL, and the pros of secure coding practices. Continue Reading
Researchers developed a tool to help prevent improper certificate pinning that causes security issues. Expert Michael Cobb reviews the issue and the ... Continue Reading
Google Project Zero discovered a WPAD attack that could target systems running Windows 10. Expert Michael Cobb explains how the attack works and how ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.