Main menu

Pages

Predator spyware targeting Android devices using zero-day attacks

featured image

Spyware developer Cytrox is under Google’s watch to develop exploits for five zero-day flaws in Android and Chrome.

On Thursday, May 19, Google’s Threat Analysis Group (TAG) reported that spyware developer / vendor Cytrox has developed an exploit for five zero-day vulnerabilities targeting Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

0 days used in n days to deploy spyware

This exploit has been developed to generate four zero-day attacks on Chrome and one zero-day attack on Android. TAG researchers Clement Lecigne and Christian Resell explained in a blog post that 0 days is used in combination with the n day exploit.

In addition, attackers will benefit from patching some critical bugs that have not been declared as critical security issues and the time lag “when these patches are fully deployed throughout the Android ecosystem.” It is said that.

Spyware details

According to Google, North Macedonia-based commercial surveillance company Cytrox has packaged and sold exploits to various state-sponsored threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Cote d’Ivoire and Armenia.

Buyers are said to have used these bugs in at least three campaigns so far. Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat attackers to break into Android and iOS devices.

About 3 campaigns using Predator

TAG investigated three campaigns and concluded that the attacker would send a one-time URL to Android users via spear phishing emails. These links are shortened using common URL shortening services, but attackers target only a handful of victims. When a user clicks on this malicious URL, they are redirected to the malicious web page, the exploit is automatically deployed and redirected to the legitimate website.

Upon reaching that point, the attacker deploys Alien Android malware that loads the Cytrox Predator. If the shortened link does not work, the victim will go directly to a legitimate website.

List of exploits

The following is a list of zero-day flaws exploited by attackers on Chrome and Android.

  • CVE-2021-1048
  • CVE-2021-37973
  • CVE-2021-37976
  • CVE-2021-38000
  • CVE-2021-38003

The main purpose of the attacker behind this operation is to distribute Alien malware, which is a precursor to deploying Predator spyware on infected devices. You can receive commands from Predator via an IPC (interprocess communication) mechanism to record audio, hide apps, or add CA certificates to avoid detection.

The first campaign was launched on Google Chrome last August for Samsung Galaxy S21 devices. A month later, the second campaign targeted the updated Samsung Galaxy S10, and the third campaign was detected in October 2021.

Other Android Spyware News

  1. A fake Android banking app that steals credentials via malware
  2. BRATA Android Malware Factory resets phone after stealing funds
  3. TangleBot Android malware hijacks phone and steals login credentials
  4. Discovered new Android malware TeaBot stealing data and intercepting SMS
  5. New Russian Android malware tracks victim GPS location and spies

Commentaires