Fighting Targeted Malware in the Mobile Ecosystem

Black Hat USA 2017

Presented by: Andrew Blaich, Megan Ruthven
Date: Wednesday July 26, 2017
Time: 17:05 - 17:30
Location: Mandalay Bay AB

Meet Chrysaor, one of the most sophisticated and elusive mobile spyware products. Chrysaor, which is believed to be created by the NSO Group Technologies, is related to the iOS Pegasus malware. However, Google and Lookout hunted for their Android version from the end of 2016 to beginning of 2017, and were able to expose it in April.

This talk will recount how we pursued Chrysaor using a combination of on-device and cloud based security services. In particular, we will detail the methodology and techniques that allowed us to detect this malware that affect only dozens of devices out of the billions of security reports we get from Safetynet. We will also discuss how we used our installation graph engine to determine attribution.

Megan Ruthven

Megan Ruthven is a software engineer on Google's Android Security team where she uses device and application data to combat malware on a global scale. Prior to joining Google, Megan was a graduate student at University of Texas at Austin. She is a Kleiner Perkins Caufield and Byers Engineering Fellow.

Andrew Blaich

Andrew Blaich is a security researcher at Lookout where he is focused on mobile threat hunting and vulnerability research. Prior to Lookout, Andrew was the Lead Security Analyst at Bluebox Security. He holds a Ph.D. in computer science, and engineering from the University of Notre Dame in enterprise security and wireless networking. Andrew has presented at conferences including BlackHat, RSA, and Kaspersky SAS. In his free time he loves to run.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats