According to Google’s Threat Analysis Group (TAG), state-sponsored threat actors installed Predator spyware built by commercial surveillance firm Cytrox using five zero-day vulnerabilities.
The attackers utilized zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully updated Android devices in these attacks, which were part of three campaigns that began between August and October 2021.
“We have high confidence that these attacks were bundled by a single commercial monitoring outfit, Cytrox,” Google TAG members Clement Lecigne and Christian Resell said.
According to Google’s investigation, the government-backed bad actors who bought and utilized these exploits to infect Android targets with spyware are from Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.
These findings are consistent with CitizenLab’s study on Cytrox mercenary spyware, which was released in December 2021 after its researchers detected the harmful software on the phone of exiled Egyptian politician Ayman Nour.
According to CitizenLab, Nour’s phone was also infected with NSO Group’s Pegasus malware, with the two programs being used by two distinct government clients.
Three efforts targeting Android users used zero-day vulnerabilities.
These efforts leveraged five previously unknown zero-day security vulnerabilities:
CVE-2021-1048 in Android, CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome
Three independent campaigns were used by threat actors to target these zero-day vulnerabilities:
First campaign: switching from Chrome to SBrowser (CVE-2021-38000)
Chrome sandbox escape is the second campaign (CVE-2021-37973, CVE-2021-37976)
Campaign #3 – Android 0-day exploit chain in its entirety (CVE-2021-38003, CVE-2021-1048)
“All three efforts emailed targeted Android users one-time URLs that looked like URL shortener services. The campaigns were small – we estimate that the number of users targeted in each case was in the tens of thousands “TAG experts at Google stated.
“When the link was clicked, the target was sent to an attacker-controlled domain that provided the exploits before redirecting the browser to a legitimate website. The user was forwarded to a valid website if the link was not active.”
This assault method was also employed against journalists and other Google users who had been warned that they were being targeted by government-sponsored attacks.
The Android banking trojan delivered a spyware implant.
The attackers employed the Android Alien banking trojan with RAT features to load the Predator Android implant, which allows capturing audio, adding CA certificates, and concealing apps, in these campaigns.
This research is a follow-up to a July 2021 examination of four additional zero-day vulnerabilities reported in Chrome, Internet Explorer, and WebKit in 2021. (Safari).
Russian-backed government hackers linked to the Russian Foreign Intelligence Service (SVR) exploited the Safari zero-day to target iOS devices belonging to government officials in western European countries, according to Google TAG experts.
Google TAG noted on Thursday that “TAG is actively tracking more than 30 vendors with varied levels of expertise and public exposure providing exploits or surveillance capabilities to government-backed entities.”
