Meet Chrysaor, one of the most sophisticated and elusive mobile spyware products. Chrysaor, which is believed to be created by the NSO Group Technologies, is related to the iOS Pegasus malware. However, Google and Lookout hunted for their Android version from the end of 2016 to beginning of 2017, and were able to expose it in April.
This talk will recount how we pursued Chrysaor using a combination of on-device and cloud based security services. In particular, we will detail the methodology and techniques that allowed us to detect this malware that affect only dozens of devices out of the billions of security reports we get from Safetynet. We will also discuss how we used our installation graph engine to determine attribution.