Affiliate links on Android Authority may earn us a commission.Learn more.
Google details malware that turned Android phones into powerful espionage tools
July 26, 2025
A post on the Android Developers blog discussing the Chrysaor malware for Android has left me feeling a mixture of amazed and afraid.
Discovered late last year, Chrysaor is spyware believed to have been created by NSO Group Technologies, an Israel-based group which specializes in the development and sale of software exploits. It’s thought to be a descendant of the Pegasus spyware previously found on iOS, and made its way onto handsets through apps which weren’t available in the Google Play Store.
According to areportfrom security firm Lookout, Pegasus and its Android counterpart Chrysaor appear to be spying tools deployed by “nation states and nation-state-like groups.” In other words, spies.
“Usually, PHA [potentially harmful app] authors attempt to install their harmful apps on as many devices as possible,” wrote some of Android’s security team on the Developers blog. “However, a few PHA authors spend substantial effort, time, and money to create and install their harmful app on one or a very small number of devices. This is known as a targeted attack.”
The Android team says it has discovered Chrysaor on less than three dozen Android devices in total, and this, combined with the sophistication of the app’s capabilities (outlined below) indicates that the malware was used more as a tool for spies than as way to cajole money out of consumers.
Here’s some of the things that Chrysaor capable of:
What’s possibly even more impressive/frightening is that Chrysaor can remove itself from a device if it becomes compromised — it can basically self-destruct.
If the app fails to interact with the Google server after 60 days, for example, indicating that it has been discovered, it will delete itself from the infected phone. It can also be extricated via a command from the server.
To address the situation, the Android security team says that they have now “contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”
The nature of this attack, and the circa 36 devices out of more than 1.4 billion it infected, means that the chances of you being affected by it were already incredibly slim. Regardless, the Android team says suggests users adhere to these five basic steps to help keep themselves safe when using Android devices:
What are your thoughts on Chrysaor and the potential of such Android spyware apps? Let me know in the comments.
Thank you for being part of our community. Read ourComment Policybefore posting.
