Pegasus malware expands from iOS to Android

One of the more malicious iOS threats -- Pegasus malware -- has made its way to Android devices and it has some dangerous new tricks in its arsenal.

Mobile security researchers and Google have found a new strain of the Pegasus malware infecting a limited number of Android devices.

Pegasus malware had been exclusive to iOS and was particularly interesting because it leveraged a trio of iOS vulnerabilities in order to infect devices.

Researchers at Lookout said the malware has expanded to Android devices and may prove more dangerous on that platform.

According to Mike Murray, vice president of security intelligence at Lookout, the Android variant of Pegasus -- called Chrysaor by Google -- was developed by the same NSO Group that was found targeting political dissidents, rights activists and journalists with the Pegasus malware.

"NSO Group has sophisticated mobile spyware capabilities across a number of operating systems that are actively being used to target individuals," Murray wrote in a blog post. "After looking into these signals, we determined that an Android version of Pegasus was running on phones in Israel, Georgia, Mexico, Turkey, the UAE and others."

Both Lookout and Google confirmed that the Pegasus malware could be used to capture screenshots, keystrokes or audio and also exfiltrate data from messaging apps, browsers, email and contacts. Murray also noted the software can "self-destruct" if it "feels its position is at risk."

"Pegasus is the most advanced Android [remote access Trojan] malware to have ever been detected in real-world usage," Liviu Arsene, senior e-threat researcher at Romania-based antimalware firm Bitdefender, told SearchSecurity. "Extremely versatile, it is able to sniff communications, steal messages and call records from instant messaging like WhatsApp, Facebook, Twitter, Skype and Gmail. It also packs key-logging and capabilities to take screenshots; it can even take control of the phone's camera and microphone."

Murray said the Pegasus malware "was built to be stealthy, targeted and is very sophisticated" and includes new techniques not seen in the iOS version to make it "easier to deploy."

"Pegasus for Android does not require zero-day vulnerabilities to root the target device and install the malware. Instead, the threat uses an otherwise well-known rooting technique called Framaroot," Murray wrote. "In the case of Pegasus for iOS, if the zero-day attack execution failed to jailbreak the device, the attack sequence failed overall. In the Android version, however, the attackers built in functionality that would allow Pegasus for Android to still ask for permissions that would then allow it to access and exfiltrate data. The fail-safe jumps into action if the initial attempt to root the device fails."

Pegasus malware poses limited risk

However, despite being easier to deploy, the Pegasus malware doesn't appear to be widespread. Google said it "observed fewer than three dozen installs" of the malware in the 1.4 billion devices protected by Google Play services and Verify Apps.

"Late last year, after receiving a list of suspicious package names from Lookout, we discovered that a few dozen Android devices may have installed an application related to Pegasus, which we named Chrysaor. Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps," Google researchers wrote in a blog post. "We gathered information from affected devices, and concurrently, attempted to acquire Chrysaor apps to better understand its impact on users. We've contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users."

Google said "one representative sample" of the Pegasus malware was analyzed and found to be "tailored to devices running Jelly Bean (4.3) or earlier." According to Google's metrics, those versions of Android make up 12.6% of current devices, or approximately 176 million devices.

Google also noted users would need to be coaxed into installing a malicious app from an untrusted source in order to be infected, but it has already made improvements to Verify Apps to protect all Android devices that have Google Play services.

Michael Patterson, CEO of Plixer, said Pegasus malware could still be dangerous despite the rooting method mostly targeting older devices.

"The malware is still dangerous because malware evolves over time like most software that is maintained. Malicious software is often given away or stolen and used to create new variants," Patterson told SearchSecurity. "While the malware is impacting phones five years old, the latest release could be better at evading detection and have new, richer theft features. Companies should have a network traffic analysis solution which is monitoring for odd traffic behaviors from mobile devices."

Arsene suggested the standard protections for Android users: "To protect your Android devices install apps from legitimate sources, make sure you have the latest OS updates and security patches, enable a lock screen, ensure you run an antimalware app, and check on a regular basis what are the apps that have admin rights on your device."

Next Steps

Learn why Android malware delivery is harder than you might think.

Find out how to address privacy and security issues with Android VPN apps.

Get info on how OS security improved in Android 7.0 Nougat.

Dig Deeper on Threats and vulnerabilities