Light Dark
April 6, 2017 By Larry Loeb 2 min read

Since Pegasus spyware was found on iOS devices in August 2016, Google and Lookout Security have been watching for potential surveillance applications. Pegasus was developed by the Israel-based NSO Group, a “lawful intercept” vendor. This means that they come up with the tools that governments may want for espionage but can’t create themselves.

Pegasus utilized three Apple iOS zero-day exploits that were collectively known as Trident, which have since been patched. The Android version of the Pegasus spyware is known as Chrysaor and seems to be aimed at versions of Android Jelly Bean (4.3) or earlier.

A Small Target Area

Google said its analysis showed that less than three dozen devices, mostly in Israel, were affected by Chrysaor. It disabled Chrysaor on those devices and notified users of all known affected devices.

The spyware relied on social engineering to entire targets to download the malicious software and did not use any known zero-day exploits. Once Chrysaor was installed, a remote operator would be able to surveil the victim’s activities on the device as well as within the local vicinity, Google noted.

All-Encompassing Surveillance Activities

Chrysaor used the microphone, camera, data collection, and logging and tracking application activities from communication apps. It could also capture screenshots and disable system updates for the operating system.

Researchers observed the malware leveraging known framaroot exploits as a way to escalate privileges and access Android’s application sandbox. Additionally, they found another escalation path: Chrysaor could elevate access with an attempted superuser binary prepositioned at /system/csk.

Once aboard, the spyware snarfed data such as emails, calendar information, browser history, call logs, contacts, SMS messages and settings. It even gained information from certain messaging apps such as Skype, Twitter, WhatsApp, Viber and Kakao. It could capture screen shots, keylog, disable system updates, and survey the microphone and camera hardware.

Pegasus Spyware Erases Itself

Meanwhile, Lookout Security noted that the spyware has the ability to wipe itself to maintain its stealth. “Pegasus for Android will remove itself from the phone if the SIM MCC ID is invalid, an ‘antidote’ file exists, it has not been able to check in with the servers after 60 days or it receives a command from the server to remove itself,” the researchers found.

To maintain security against Chysaor and other potentially harmful spyware, users should keep device software up to date, install apps only from verified sources and use a secure lock on their home screens.

 |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

March 4, 2025

FYSA — VMware Critical Vulnerabilities Patched

< 1 min read - SummaryBroadcom has released a security bulletin, VMSA-2025-0004, addressing and remediating three vulnerabilities that, if exploited, could lead to system compromise. Products affected include vCenter Server, vRealize Operations Manager, and vCloud Director.Threat TopographyThreat Type: Critical VulnerabilitiesIndustry: VirtualizationGeolocation: GlobalOverviewX-Force Incident Command is monitoring activity surrounding Broadcom’s Security Bulletin (VMSA-2025-0004) for three potentially critical vulnerabilities in VMware products. These vulnerabilities, identified as CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226, have reportedly been exploited in attacks. X-Force has not been able to validate those claims. The vulnerabilities…

February 21, 2025

SoaPy: Stealthy enumeration of Active Directory environments through ADWS

10 min read - Introduction Over time, both targeted and large-scale enumeration of Active Directory (AD) environments have become increasingly detected due to modern defensive solutions. During our internship at X-Force Red this past summer, we noticed FalconForce’s SOAPHound was becoming popular for enumerating Active Directory environments. This tool brought a new perspective to Active Directory enumeration by performing collection via Active Directory Web Services (ADWS) instead of directly through Lightweight Directory Access Protocol (LDAP) as other AD enumeration tools had in the past.…

February 14, 2025

Smoltalk: RCE in open source agents

26 min read - Big shoutout to Hugging Face and the smolagents team for their cooperation and quick turnaround for a fix! Introduction Recently, I have been working on a side project to automate some pentest reconnaissance with AI agents. Just after I started this project, Hugging Face announced the release of smolagents, a lightweight framework for building AI agents that implements the methodology described in the ReAct paper, emphasizing reasoning through iterative decision-making. Interestingly, smolagents enables agents to reason and act by generating…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature