ZeroDay Exploits Used by Predator Spyware in multiple campaigns
Pegasus malware from the NSO group has dominated the commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. Google’s TAG published details about three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.
Cytrox published in December by researchers at the University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who bought the Android exploits were in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available, but that victim hadn’t patched.
The commercial spyware industry has given governments that don’t have the funds or expertise to develop their own hacking tools access to an expansive array of products and surveillance services. This allows repressive regimes and law enforcement more broadly to acquire tools that enable them to surveil dissidents, human rights activists, journalists, political opponents, and regular citizens. And while a lot of attention has been focused on spyware that targets Apple’s iOS, Android is the dominant operating system worldwide and has been facing similar exploitation attempts.
The five 0-day vulnerabilities exploited by the attackers:
- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 – Chrome.
- CVE-2021-1048 -Android.
Below are the three campaigns documented by Google TAG, and the way the flaws were exploited:
- Campaign-1 – redirecting to SBrowser from Chrome (CVE-2021-38000)
- Campaign-2 – Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)
- Campaign -3 – Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)
Attackers were targeting a limited number of targets, in all the attacks, the attackers delivered one-time links mimicking URL shortener services to the targeted Android users via email. Once the link is clicked, the victim is redirected to a domain under the control of the attackers that were used to deliver the exploits before redirecting the browser to a legitimate website.
The exploits were used to first deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.
As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But while this makes it more difficult for attackers, the commercial spyware industry has still been able to flourish.