Chrysaor¶

The Android version of NSO Group's Pegasus spyware. Discovered by Lookout and Google in April 2017 as the Android counterpart to the iOS Pegasus found on Ahmed Mansoor's phone in August 2016. Named after Pegasus's brother in Greek mythology. Unlike iOS Pegasus which used zero-click exploits, Chrysaor used the Framaroot framework for rooting and could persist across factory resets by installing to the /system partition.

Overview¶

Property	Value
First Seen	~2014 (active ~3 years before discovery); disclosed April 2017
Type	Nation-state-grade commercial spyware
Attribution	NSO Group (Israel)
Aliases	Pegasus for Android (Lookout)

Distribution¶

Targeted delivery via spear-phishing links to specific individuals (activists, journalists, dissidents). Never distributed through Google Play. Fewer than three dozen infected devices found.

Capabilities¶

Capability	Implementation
Full surveillance	Keylogging, screenshots, live audio/video recording
App data theft	Exfiltration from Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, Kakao
SMS/call interception	Full communication monitoring
Camera/microphone	Remote activation
Location tracking	GPS tracking
Self-destruct	Removed itself if it detected potential discovery
System persistence	Installed to /system partition, surviving factory resets
Root method	Framaroot (no zero-days required, unlike iOS Pegasus)
Update blocking	Disabled system updates to prevent patching

Target Regions¶

Israel (primary), Georgia, Mexico, Turkey, UAE, Kenya, Kyrgyzstan, Nigeria, Tanzania, Ukraine, Uzbekistan.

Relationship to Pegasus¶

Chrysaor is the Android implementation of the same surveillance platform:

Aspect	iOS Pegasus	Android Chrysaor
Root/jailbreak	Zero-click exploit chains (Trident)	Framaroot framework
Persistence	Jailbreak persistence	/system partition install
Fallback	N/A	If rooting fails, requests permissions for partial surveillance
Discovery	August 2016 (Citizen Lab)	April 2017 (Lookout + Google)