Android malware "Chrysaor" that cannot be erased even by terminal initialization

~ Google calls attention

Google released details about the newly discovered spyware "Chrysaor" on the 3rd (US time). It runs on Android and cannot be eliminated even if the terminal is initialized, and it features a careful design such as the spyware itself being deleted under certain conditions for concealment.

According to Google, this is likely to have been developed as a cyberweapon by the Israeli company NSO Group Technologies. Also, it is used for targeted attacks, and it seems that only a small number of terminals have been confirmed to be infected at this time.

端末初期化でも消せないAndroid向けマルウェア「Chrysaor」

Chrysaor is a spyware that monitors infected devices, collects information such as SMS, call logs and messages, and also has a keylogging function and a function to eavesdrop on the room by talking to an attacker in the background. Use the vulnerability to illegally elevate to administrator privileges, disable the sandbox, and operate.

Also, since it is installed in the system partition when infected, it cannot be removed even if the terminal is initialized.

In addition, Chrysaor also has a self-erasing function, probably to hide its existence. This feature works when communication with the attacker-prepared server cannot be established for more than 60 days, or when the attacker instructs, or if the "antidote file" that the developer seems to have prepared exists in a fixed directory. Activate.

Chrysaor has no evidence of being on Google Play in the past and is a spyware used in targeted attacks, so most users are not at risk of being threatened. Only over 30 out of 1.4 billion have been confirmed by Google.

Google recommends installing software from a trusted source such as Google Play, tightening device passwords, PINs, and pattern locks, and keeping your device up-to-date.

Related Articles