Predator spyware developed by commercial surveillance company Cytrox and a competitor to Israeli NSO Group’s Pegasus was used against five zero-day vulnerabilities targeting the Chrome browser and Android operating system, according to the Google’s Threat Analysis Group (TAG).
The attacks are part of three campaigns carried out between August and October of last year. According to TAG, Predator was installed on updated Android devices. “We assess with high confidence that these exploits were pooled by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below,” said members Clement Lecigne and Christian Resell, from Google TAG.
Among the customers who purchased and used these exploits against targeted Android users were the government of Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain and Indonesia.
TAG’s findings align with the Cytrox report published by CitizenLab in December 2021. At the time, researchers had discovered the spyware on a phone of exiled Egyptian politician Ayman Nour.
In addition to Predator, the phone was also infected by Pegasus, however, being operated by different government customers, according to the assessment of CitizenLab.
More TAG research from @_clem1 & @0xbadcafe1
Campaigns targeting Android users with five 0-day vulnerabilities. We assess the exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different govt-backed actors.
— Shane Huntley (@ShaneHuntley) May 19, 2022
Android and Chrome zero-day exploits
Of the five zero-day exploits discovered by the researchers, four take advantage of vulnerabilities in the Chrome browser (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003) and one for Android devices ( CVE-2021-1048). Some campaigns took advantage of more than one vulnerability to install malware on the target device.
Photo: Deepanker Verma/Pexels
“All three campaigns delivered unique links that mimic URL shortener services to target Android users via email. Campaigns were limited – in each case, we evaluated the number of targets in the dozens of users,” added the TAG analysts.
- Campaign #1 – Redirect to Chrome’s SBrowser (CVE-2021-38000)
- Campaign #2 – Escape the Chrome Sandbox (CVE-2021-37973, CVE-2021-37976)
- Campaign #3 – Complete Android Zero-Day Exploit Chain (CVE-2021-38003, CVE-2021-1048)
They explain that targeted users who click on the malicious link are redirected to a domain owned by the attacker, delivering exploits before redirecting to the legitimate website in the browser. In non-active links, the victim was directed directly to the requested site.
The attack technique is also used against journalists and other Android users, who have been billed as government-backed targets.
Downloaded Spyware Uses Android Banking Trojan
In the campaigns described, the first stage of the attack consists of installing the alienalso known as AlienBot, a banking trojan for Android, whose RAT functionality is responsible for loading the Predator spyware, capable of recording audio, adding CA certificates and hiding apps.
The present TAG analyst report is a follow-up to an analysis conducted in July 2021, which addressed other zero-day flaws in Chrome, Internet Explorer, and WebKit (Safari) browsers discovered in the same year.
Researchers are currently tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors, they reported Thursday.
Via BleepingComputer
