{ "id": "863bae31-6f81-43c5-906b-fa3dcdb4b2af", "created_at": "2026-04-06T00:18:16.827681Z", "updated_at": "2026-04-10T03:30:33.150021Z", "deleted_at": null, "sha1_hash": "635607b873ddad6492a1ebf66f79e3de325b9214", "title": "An Investigation of Chrysaor Malware on Android", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 304658, "plain_text": "An Investigation of Chrysaor Malware on Android\r\nBy Posted by Rich Cannings, Jason Woloz, Neel Mehta, Ken Bodzak, Wentao Chang, Megan Ruthven\r\nPublished: 2017-04-03 · Archived: 2026-04-05 19:26:34 UTC\r\nGoogle is constantly working to improve our systems that protect users from Potentially Harmful Applications\r\n(PHAs). Usually, PHA authors attempt to install their harmful apps on as many devices as possible. However, a\r\nfew PHA authors spend substantial effort, time, and money to create and install their harmful app on one or a very\r\nsmall number of devices. This is known as a targeted attack. In this blog post, we describe Chrysaor, a newly\r\ndiscovered family of spyware that was used in a targeted attack on a small number of Android devices, and how\r\ninvestigations like this help Google protect Android users from a variety of threats. What is Chrysaor? Chrysaor\r\nis spyware believed to be created by NSO Group Technologies, specializing in the creation and sale of software\r\nand infrastructure for targeted attacks. Chrysaor is believed to be related to the Pegasus spyware that was first\r\nidentified on iOS and analyzed by Citizen Lab and Lookout. Late last year, after receiving a list of suspicious\r\npackage names from Lookout, we discovered that a few dozen Android devices may have installed an application\r\nrelated to Pegasus, which we named Chrysaor. Although the applications were never available in Google Play, we\r\nimmediately identified the scope of the problem by using Verify Apps. We gathered information from affected\r\ndevices, and concurrently, attempted to acquire Chrysaor apps to better understand its impact on users. We’ve\r\ncontacted the potentially affected users, disabled the applications on affected devices, and implemented changes in\r\nVerify Apps to protect all users. What is the scope of Chrysaor? Chrysaor was never available in Google Play\r\nand had a very low volume of installs outside of Google Play. Among the over 1.4 billion devices protected by\r\nVerify Apps, we observed fewer than 3 dozen installs of Chrysaor on victim devices. These devices were located\r\nin the following countries:\r\nhttps://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html\r\nPage 1 of 4\n\nHow we protect you To protect Android devices and users, Google Play provides a complete set of security\r\nservices that update outside of platform releases. Users don’t have to install any additional security services to\r\nkeep their devices safe. In 2016, these services protected over 1.4 billion devices, making Google one of the\r\nlargest providers of on-device security services in the world:\r\nIdentify PHAs using people, systems in the cloud, and data sent to us from devices \r\nWarn users about or blocking users from installing PHAs \r\nContinually scan devices for PHAs and other harmful threats \r\nAdditionally, we are providing detailed technical information to help the security industry in our collective work\r\nagainst PHAs. What do I need to do? It is extremely unlikely you or someone you know was affected by\r\nChrysaor malware. Through our investigation, we identified less than 3 dozen devices affected by Chrysaor, we\r\nhave disabled Chrysaor on those devices, and we have notified users of all known affected devices. Additionally,\r\nthe improvements we made to our protections have been enabled for all users of our security services. To ensure\r\nyou are fully protected against PHAs and other threats, we recommend these 5 basic steps:\r\nInstall apps only from reputable sources: Install apps from a reputable source, such as Google Play. No\r\nChrysaor apps were on Google Play. \r\nEnable a secure lock screen: Pick a PIN, pattern, or password that is easy for you to remember and hard\r\nfor others to guess. \r\nUpdate your device: Keep your device up-to-date with the latest security patches. \r\nVerify Apps: Ensure Verify Apps is enabled. \r\nLocate your device: Practice finding your device with Android Device Manager because you are far more\r\nlikely to lose your device than install a PHA. \r\nHow does Chrysaor work?  To install Chrysaor, we believe an attacker coaxed specifically targeted individuals\r\nto download the malicious software onto their device. Once Chrysaor is installed, a remote operator is able to\r\nsurveil the victim’s activities on the device and within the vicinity, leveraging microphone, camera, data\r\ncollection, and logging and tracking application activities on communication apps such as phone and SMS. One\r\nrepresentative sample Chrysaor app that we analyzed was tailored to devices running Jellybean (4.3) or earlier.\r\nThe following is a review of scope and impact of the Chrysaor app named com.network.android tailored for a\r\nSamsung device target, with SHA256 digest:\r\nade8bef0ac29fa363fc9afd958af0074478aef650adeb0318517b48bd996d5d5  Upon installation, the app uses\r\nknown framaroot exploits to escalate privileges and break Android’s application sandbox. If the targeted device is\r\nnot vulnerable to these exploits, then the app attempts to use a superuser binary pre-positioned at /system/csk to\r\nelevate privileges. After escalating privileges, the app immediately protects itself and starts to collect data, by:\r\nInstalling itself on the /system partition to persist across factory resets \r\nRemoving Samsung’s system update app (com.sec.android.fotaclient) and disabling auto-updates to\r\nmaintain persistence (sets Settings.System.SOFTWARE_UPDATE_AUTO_UPDATE to 0) \r\nDeleting WAP push messages and changing WAP message settings, possibly for anti-forensic purpose. \r\nStarting content observers and the main task loop to receive remote commands and exfiltrate data.\r\nThe app uses six techniques to collect user data:\r\nhttps://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html\r\nPage 2 of 4\n\nRepeated commands: use alarms to periodically repeat actions on the device to expose data, including\r\ngathering location data. \r\nData collectors: dump all existing content on the device into a queue. Data collectors are used in\r\nconjunction with repeated commands to collect user data including, SMS settings, SMS messages, Call\r\nlogs, Browser History, Calendar, Contacts, Emails, and messages from selected messaging apps, including\r\nWhatsApp, Twitter, Facebook, Kakoa, Viber, and Skype by making /data/data directories of the apps world\r\nreadable. \r\nContent observers: use Android’s ContentObserver framework to gather changes in SMS, Calendar,\r\nContacts, Cell info, Email, WhatsApp, Facebook, Twitter, Kakao, Viber, and Skype. \r\nScreenshots: captures an image of the current screen via the raw frame buffer. \r\nKeylogging: record input events by hooking IPCThreadState::Transact from /system/lib/libbinder.so, and\r\nintercepting android::parcel with the interface com.android.internal.view.IInputContext. \r\nRoomTap: silently answers a telephone call and stays connected in the background, allowing the caller to\r\nhear conversations within the range of the phone's microphone. If the user unlocks their device, they will\r\nsee a black screen while the app drops the call, resets call settings and prepares for the user to interact with\r\nthe device normally. \r\nFinally, the app can remove itself through three ways:\r\nVia a command from the server \r\nAutoremove if the device has not been able to check in to the server after 60 days \r\nVia an antidote file. If /sdcard/MemosForNotes was present on the device, the Chrysaor app removes itself\r\nfrom the device.\r\nSamples uploaded to VirusTotal To encourage further research in the security community, we’ve uploaded these\r\nsample Chrysaor apps to Virus Total.\r\nAdditional digests with links to Chrysaor  As a result of our investigation we have identified these additional\r\nChrysaor-related apps.\r\nhttps://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html\r\nPage 3 of 4\n\nLookout has completed their own independent analysis of the samples we acquired, their report can be viewed\r\nhere.\r\nSource: https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html\r\nhttps://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html" ], "report_names": [ "an-investigation-of-chrysaor-malware-on.html" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434696, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/635607b873ddad6492a1ebf66f79e3de325b9214.pdf", "text": "https://archive.orkl.eu/635607b873ddad6492a1ebf66f79e3de325b9214.txt", "img": "https://archive.orkl.eu/635607b873ddad6492a1ebf66f79e3de325b9214.jpg" } }