Earlier this month a new high-tech espionage threat was discovered by Google and cyber security research company Lookout. The Chrysaor malware is thought to have been created by the NSO Group, an Israeli firm with strong links to the state.
NSO was founded by two men who, according to Forbes, are thought to be former members of Unit 8200, Israel’s signals intercept and cyber-warfare spy agency. The firm sells itself on the basis that it allows government intelligence agencies around the world to break into almost any phone, anywhere.
Chrysaor is the Android version of Pegasus, a cyber-weapon discovered to be spying on Apple iPhones last year. The software is inserted onto a target’s smart phone by tricking him or her into clicking on a web link to a malicious code. If that’s run, the code exploits crucial security vulnerabilities on the Android and iOS phone operating systems, which were unknown to Google and Apple before these cyber-weapons were discovered. They have now been patched up, with software updates being rolled out to affected phones.
The infected phones report an immense amount of data back to whichever NSO client is spying on their owners. The malware collects SMS messages, call logs, geographic location, browser history, contacts, emails, WhatsApp and Skype messages, and more. Worse, it can take screenshots and even start filming using the camera or open up the microphone to report back what’s being said in the immediate vicinity.
The software goes to great lengths to disguise itself and has a “suicide” function by which it can be removed should its operator decide to do so, or automatically if the software can no longer contact relevant servers for a fixed period.
Google has tracked “fewer than three dozen installs of Chrysaor on victim devices,” the company said in a blog post. Pegasus and its Android equivalent Chrysaor are therefore highly targeted and sophisticated cyber-weapons, rather than a typical hacker’s piece of spyware intent on pilfering as much information and money while infecting as many targets as possible.
Due to the high-stealth nature of the software, it’s possible that Google has not yet discovered other such NSO cyber-weapons. Chrysaor and Pegasus have managed to run undetected for more than two years.
Google’s investigation revealed that most of the targeted phones were in Israel itself, with other targets in Mexico, Turkey, Nigeria, Ukraine and the United Arab Emirates. The human targets of this spyware have included journalists and human rights workers; UAE dissident Ahmed Mansoor was targeted with Pegasus.
“On the morning of August 10, 2016,” revealed security analysts, “Mansoor received an SMS text message that appeared suspicious. The next day he received a second, similar text. The messages promised ‘new secrets’ about detainees tortured in UAE prisons, and contained a hyperlink to an unfamiliar website.”
Being wise to such attempts to break into his phone after previous cyber-attacks, Mansoor reported the messages to Citizen Labs, which published a full and detailed breakdown of the attempted and previous attacks on the dissident. The 2015 winner of an Amnesty International award for human rights, Mansoor was last month arrested by the UAE government for allegedly publishing “false information and rumours as well as promoting [a] sectarian and hate-incited agenda.”
Amnesty has decried his arrest; the rights group’s regional director of research, Lynn Maalouf, called Mansoor a courageous and prominent human rights defender. “We believe Ahmed Mansoor was detained for the peaceful expression of his conscientiously held beliefs,” Maalouf added in a statement reported by Middle East Eye. As the site reports: “the UAE is an absolute monarchy which tolerates little public criticism of its ruling system and has prosecuted Mansoor and other pro-democracy activists for what it called insulting the country’s leaders.”
Although NSO has in the past marketed its capabilities, it has kept a largely low profile. According to the Wall Street Journal, co-founder Omri Lavie told Defence News in 2013, “We’re a complete ghost… We’re totally transparent to the target, and we leave no traces.”
Lookout, the cyber security company which was the first to do a detailed analysis of Pegasus, and had discovered it alongside Google, describes NSO as a “cyber mercenary” firm; Lookout also published a detailed report on Chrysaor this month. “Pegasus carries a high price tag averaging at over $25,000 per target,” it pointed out. “In at least one instance, NSO Group sold 300 licences for $8 million.”
This was in Panama, where documents released by La Prensa show that a condition of the exclusive and expensive licences was that the software could not be shared “without the prior written approval of the Government of Israel.” A 2014 article about NSO in Israeli newspaper Haaretz stated that the sale of the firm to US private equity investors required “the approval of the [Israeli] Defence Ministry.”
One of the main goals of the Israeli state has long been to promote Israeli arms firms. Such state support now appears to include the weapons of choice in cyberspace.
The views expressed in this article belong to the author and do not necessarily reflect the editorial policy of Middle East Monitor.