Google’s Threat Analysis Group (TAG) has discovered three zero-day malware government-backed campaigns that use the Predator spyware suite developed by commercial surveillance firm Cytrox. The hacking group took advantage of five previously unknown Android vulnerabilities and some vulnerabilities that were known but were not patched by the victims. The attacks were similar to attacks conducted using NSO’s infamous Pegasus software.
A zero-day is an unknown vulnerability in a system that is not known to the developers creating the software. Zero-day attack occurs when hackers take advantage of such vulnerabilities to gain unauthorized access to the system. Google’s Project Zero researchers previously reported a sharp increase in searches for such exploits in 2021.
TAG has concluded with high confidence that the latest discovered exploits were packaged by Cytrox and sold to various government-backed actors who used them in at least three campaigns. The group assessed that the government-backed actors who bought these exploits were operating in Egypt, Armenia, Greece, Madagascar, Cte d’Ivoire, Serbia, Spain and Indonesia.
The actors used these zero-day exploits, along with other discovered vulnerabilities, because malware developers were able to take advantage of the time difference between when certain critical bugs were discovered and when patches for them were deployed to the Android ecosystem. .
According to TAG, these findings emphasize how commercial surveillance vendors have built capabilities that were historically only used by governments with technical expertise to develop and operate such exploits . The proliferation of such commercial surveillance companies means that these capabilities are now available to any government that can purchase them.
All three campaigns delivered links mimicking URL shortener services targeted to Android users via email. Once a user clicks on a link, they will be redirected to an attacker-owned domain that will deliver exploits before being redirected to a legitimate website.
If the malware link was not activated, the user would be redirected directly to a legitimate website. Google noticed that these techniques were used against journalists and other unidentified targets, whom the company alerted whenever possible.
These missions delivered an Android malware called Alien, an Android implant that lives inside the device and receives commands from an Android implant, Predator. These commands included recording audio, adding CA certificates and hiding apps.