When you lose the key to your bike lock you borrow bolt cutters. When your door is jammed you look up a locksmith. And when you need targeted surveillance of a smartphone, you call your cyberarms dealer. Naturally! For bad actors and nation states, sometimes all it takes to access someone’s private text messages, browsing history, calls, emails, calendar, location, contacts, and apps, is a big enough check. Although maybe not as big as you’d think.
Researchers from the mobile security firm Lookout and Google’s Android security team revealed evidence this week of a type of mobile spyware for Android that masquerades as a normal app download, while secretly gaining root access to a device to do broad surveillance on the user over time. Lookout, working with Citizen Lab, a human rights and global security research group, discovered a similar malicious product for iOS last year. Called Pegasus, the malware appeared to originate from the Israeli spy technology company NSO Group. Since NSO Group also advertises the product for Android, Lookout got to work trying to find proof that it exists. It didn’t take long.
“We knew we’d find it,” says Mike Murray, the vice president of security intelligence at Lookout. “It was just a question of when and where in the data. It’s important to understand the pervasiveness of this. This stuff is being used by all sorts of nation-state advanced attackers around the world for whatever their aims are. And their aims are more broad than we necessarily think about.”
That isn’t cause for you specifically to worry. Google checked data from the Verify Apps software security scanner it has on 1.4 billion devices around the world and found possible downloads of Pegasus for Android (also called Chrysaor) on fewer than 40 devices total, in countries including Israel, Georgia, Mexico, Turkey, Ukraine, and the United Arab Emirates. Google says it notified all of those users about the potential danger and blocked the malware. A few dozen devices is a very small population, but the software provides virtually complete access and control on a device. This isn’t some credit card theft or prescription drug scam. It’s complete ownership of data about a person’s entire digital life.
Reports indicate that it costs a few hundred thousand dollars to get up and running with this type of NSO Group tool, and then costs tens of thousands of dollars for each target a customer wants to use the product on. Think of it like a licensing fee. The cost is relatively small, especially in the context of the types of coffers that comprise NSO’s clientele, but high enough that you probably wouldn’t install it on every phone out there. Murray says that the cost of using the iOS and Android tools is comparable, from what he has seen.
The malicious app download was never available in the Google Play Store, and was probably distributed to targets using links in specially crafted text messages, as was the case with the iOS version. Pegasus for iOS exploited a series of rare and valuable zero day (previously unknown and therefore unpatched) bugs in iOS to gain full access. In the case of the Android version, though, the malware exploits a known rooting method called Framaroot.
Since it’s open source, Android can be infinitely altered and adjusted, but this can make it difficult to distribute security updates widely, since not all patches and protections become available for all “forks” (independent versions) of the operating system. As a result, it is easier to use old vulnerabilities to target Android users, because a portion of the population will generally still be vulnerable to a given attack months or years after a patch comes out. And even if a potential victim downloads Pegasus for Android on a device that has all the most recent security updates, the spyware can still work if the user mistakenly grants approval through Android’s permissions system.
The malware is also difficult to detect. It has self-destruct mechanisms built in to wipe it off devices, and can even block certain patches and scans that could nullify it. But Lookout knew the types of things that characterized the NSO Group’s Pegasus tool on iOS, and was able to look for evidence of the Android version in anonymous data it has collected from more than 100 million of its customers’ devices. “With the iOS version [of Pegasus] we started to learn about how NSO builds software and how they do their job. We noticed common standards in the way they write code, common infrastructure that they’ve used,” says Murray. “So we found a bunch of initial candidates [in our data] that looked very promising, some of which were incredibly promising and actually turned out to be the real thing.”
Google says it has disabled the malicious application on infected devices, and has updated its Verify Apps service to protect the overall Android population. Some samples of Pegasus for Android date back to 2014, though, so it seems likely that NSO Group and other cyberarms dealers have developed even more sophisticated techniques since then.
“I don’t think this is the end to this story,” Murray says. “They’re evolving. I think the next round is going to be even more interesting.”