pixel_dreams - Fotolia

How is Pegasus malware different on Android than on iOS?

Pegasus malware used to only target iOS devices, but a variant called Chrysaor now goes after Android devices, too. Expert Michael Cobb explains what users need to know about it.

Pegasus malware, originally a threat to only iOS devices, has expanded its capabilities to infect Android devices, as well. The Android variant of the malware can be used to spy on user devices by capturing screenshots, keystrokes and audio, as well as to steal data from messages. How is the Android Pegasus variant different from the iOS version, and what should users know about it?

In 2016, mobile security vendor Lookout Inc., working with The Citizen Lab at the University of Toronto, published research about a highly sophisticated, targeted and persistent mobile attack against devices running iOS called Pegasus. Believed to be created by a cyber arms dealer called NSO Group Technologies, Pegasus malware has sophisticated Mobile spyware capabilities and was being actively used to target various groups and individuals.

Lookout and Google have now uncovered a version of the Pegasus malware that can compromise Android devices after detecting signals of anomalous Android applications running on phones in Israel, Georgia, Mexico, Turkey, Kenya and six other countries.

Pegasus malware for Android -- which Google refers to as Chrysaor -- has similar spying functionality as Pegasus malware for iOS, including keylogging, screenshot and live audio capture, contacts messaging, and browser history exfiltration. The attackers can control the malware remotely via text message, and the program will remove itself from the phone if it feels it is at risk of detection.

The big difference between the two versions is that it's easier to deploy Pegasus malware for Android on a victim's device. Pegasus for iOS needed three zero-day vulnerabilities to jailbreak, install and run on the target device. If the attack failed to jailbreak the device, the attack was halted.

Pegasus for Android does not require zero-day vulnerabilities, as it uses a rooting technique called Framaroot to escalate privileges and break Android's application sandbox. Even if this attack vector fails, Pegasus can ask for permissions that would allow it to access and exfiltrate data.

Chrysaor was never available in the Google Play store, and Google has found fewer than three dozen installs. It has sent a notification to potential targets with information about remediating the threat. It has also implemented changes in Verify Apps, the on-device scanner included in Google Play services to protect users, which is enabled by default.

This particular threat shows just how sophisticated and stealthy mobile malware can be. It highlights the importance of only ever installing apps from reputable sources, such as the Google Play store and other official app stores. Google believes the attacker coaxed specifically targeted individuals to download the malicious software onto their device.

Like any device running software, mobile devices need to be kept up to date with the latest security patches. Other sensible measures include changing the lock screen PIN, pattern or password to something that is hard for others to guess, as well as double checking that Verify Apps is enabled.

Finally, if anyone thinks they may have been targeted by either Pegasus malware for Android or iOS, then they should contact either Lookout or Google.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about how Pegasus malware works

Find out how difficult Android malware delivery is

Check out the findings of an investigation into Android malware detection

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing