Pegasus has been created by NSO Group, an Israeli cyber intelligence company. Chrysaor is also believed to be created by the NSO Groups due to multiple similarities between the apps.
Chrysaor is a data exfiltration and surveillance app. Like many consumer spyware apps, it can run on the Android phone both in rooted and unrooted mode. What separates it from consumer spyware like mSpy, is its ability to give itself privileged access to the phone (what is called root or superuser access). Chrysaor uses various Framaroot exploits to give itself elevated privilege.
When running with escalated privileges, Chrysaor is capable of the following:
- Screenshot capture
- Live audio capture
- Remote control of the malware via SMS
- Messaging data exfiltration from common applications including WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
- Browser history exfiltration
- Email exfiltration from Android’s Native Email client
- Contacts and text message
- “Suicide”, i.e. self-destruction on receiving a remote command to do so or when connection to the command server is lost for 60 days. Chrysaor is even smart enough to self-destroy if it suspects being reverse engineered.
Most of these are pretty pedestrian capabilities for spyware. Cheap consumer mobile monitoring apps can do all of these things except giving themselves superuser privilege and smart “suicide mode”.
Overall, Google researchers have detected just around 30 devices infected with Chrysaor, mostly in Israel (NSO Group’s QA department?), Georgia and Mexico (whose governments are NSO Group’s clients).
Since NSO Group only sells Chrysaor to government and charge six-digit sums for attacking a single smartphone, it’s not a threat for you, unless you’re a journalist or an anti-government activist in places like UAE, Mexico or Georgia.
See Lookout’s technical report.