Cytrox’s Predator Spyware targeted Android users with zero-day exploits

Google’s Threat Analysis Group (TAG) on Thursday appointed a North Macedonian spyware developer named Cytrox to develop exploits against five zero-day (aka 0-day) bugs, four in Chrome and one in Android, for Android user selected.

“0-day exploits were used alongside n-day exploits because developers took advantage of the time difference between fixing certain critical bugs that were not reported as security issues and releasing those fixes that were fully deployed in the Android ecosystem” , the TAG researchers said. Clément Lecigné and Christian Resell mentioned.

Cytrox reportedly packaged the exploits and sold them to various government-backed actors in Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain, and Indonesia, who in turn turned the bugs into at least three different campaigns.

The commercial surveillance company is the maker of Predator, NSO Group’s Pegasus-like implant, and is known for developing tools that allow its customers to infiltrate iOS and Android devices.

In December 2021, Meta Platforms (formerly Facebook) announced that it had taken action to remove around 300 accounts on Facebook and Instagram that the company had used in its compromise campaigns.

The list of five zero-day bugs exploited in Chrome and Android is below –

According to TAG, the three campaigns in question began with a spear phishing email that contained unique links impersonating URL shortening services that, when clicked, redirected targets to a rogue domain that dropped exploits before doing so Bringing victims to a legitimate domain. Side? site.

“The campaigns were limited – in any case, we estimate the number of targets at dozens of users,” Lecigne and Resell noted. “If the link was not active, the user was redirected directly to a legitimate website.”

The researchers believed that the ultimate goal of the operation was to spread malware called Alien, which serves as a precursor to loading Predator onto infected Android devices.

The “simple” malware, which receives commands from Predator via an interprocess communication (IPC) mechanism, is designed to record audio, add CA certificates, and hide applications to evade detection.

Internet security

The first of three campaigns took place in August 2021. It used Google Chrome as a starting point on a Samsung Galaxy S21 device to force the browser to load a different URL in the Samsung web browser without requiring user interaction by exploiting CVE-2021-38000.

Another breach, which took place a month later and was carried over to an updated Samsung Galaxy S10, involved an exploit chain containing CVE-2021-37973 and CVE-2021-37976 to bypass Chrome Sandbox (not to be confused with Privacy Sandbox). to remove a second exploit to elevate privileges and use the backdoor.

The third campaign – a full Android 0-day exploit – was discovered in October 2021 on a recent Samsung phone running the latest version of Chrome. It combined two bugs, CVE-2021-38003 and CVE-2021-1048, to bypass the sandbox and compromise the system by injecting malicious code into privileged processes.

Google TAG pointed out that although CVE-2021-1048 was fixed in the Linux kernel in September 2020, it was only backported to Android last year because the fix was not flagged as a security issue.

“Attackers are actively looking for and exploiting these slowly resolving vulnerabilities,” the researchers said.

“Tackling the malicious practices of the commercial surveillance industry requires a robust and comprehensive approach that includes collaboration between threat intelligence teams, network defenders, academic researchers and technology platforms.”


#Cytroxs #Predator #Spyware #targeted #Android #users #zeroday #exploits

Leave a Comment

Your email address will not be published.