Hacking

Cytrox’s Predator spyware used zero-day exploits in 3 campaigns

Google’s Threat Analysis Group (TAG) uncovered campaigns targeting Android users with five zero-day vulnerabilities.

Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

The five 0-day vulnerabilities exploited by the attackers:

Below are the three campaigns documented by Google TAG, and the way the flaws were exploited:

  • Campaign #1 – redirecting to SBrowser from Chrome (CVE-2021-38000)
  • Campaign #2 – Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)
  • Campaign #3 – Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.” reads the advisory published by Google. “Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

In December a report published by CitizenLab researchers detailed the use of the Predator Spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

Back to the campaigns uncovered by Google TAG, they were targeting a limited number of targets, in all the attacks, the attackers delivered one-time links mimicking URL shortener services to the targeted Android users via email.

Upon clicking on the link, the victim is redirected to a domain under the control of the attackers that was used to deliver the exploits before redirecting the browser to a legitimate website.

The exploits were used to first deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

“ALIEN lives inside multiple privileged processes and receives commands from PREDATOR over IPC. These commands include recording audio, adding CA certificates, and hiding apps.” continues the report.

“TAG continues to track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Predator)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI deleted China-linked PlugX malware from over 4,200 US computers

The FBI has removed Chinese PlugX malware from over 4,200 computers in networks across the…

10 hours ago

Russia-linked APT UAC-0063 target Kazakhstan in with HATVIBE malware

Russia-linked threat actor UAC-0063 targets Kazakhstan to gather economic and political intelligence in Central Asia.…

15 hours ago

A new campaign is likely targeting a zero-day in Fortinet FortiGate firewalls<gwmw style="display:none;"></gwmw>

Experts warn of a new campaign targeting an alleged zero-day in Fortinet FortiGate firewalls with…

19 hours ago

Threat actors exploit Aviatrix Controller flaw to deploy backdoors and cryptocurrency miners

A critical vulnerability in Aviatrix Controller is actively exploited to deploy backdoors and cryptocurrency miners…

21 hours ago

U.S. CISA adds BeyondTrust PRA and RS and Qlik Sense flaws to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds BeyondTrust PRA and RS and Qlik Sense…

1 day ago

Inexperienced actors developed the FunkSec ransomware using AI tools

FunkSec, a new ransomware group that attacked more than 80 victims in December 2024, was…

1 day ago

This website uses cookies.