23 May 2022

Predator spyware targeted Android users with zero-day exploits


Predator spyware targeted Android users with zero-day exploits

Google's Threat Analysis Group (TAG) has shared details on three malicious campaigns that targeted owners of Android devices using five zero-day vulnerabilities to install spyware developed by commercial surveillance company Cytrox.

The campaigns carried out between August and October 2021 leveraged zero-day flaws in the Chrome browser and Android OS to plant the Predator spyware (an Android implant described by CitizenLab in December 2021) on Android devices. These vulnerabilities are: CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 (Chrome), CVE-2021-1048 (Android).

The TAG team believes that all these exploits were packaged by Cytrox, and sold to different state-backed actors who used them in at least three campaigns.

“Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia,” the team said.

The exploits were deployed in three separate campaigns:

  • Campaign 1 - redirecting to SBrowser from Chrome (CVE-2021-38000)

  • Campaign 2 - Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)

  • Campaign 3 - full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

All three observed campaigns involved one-time links mimicking URL shortener services delivered to the targeted Android users via a spear-phishing email. Once clicked, the link redirected the target to an attacker-controlled domain that delivered the exploits before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website.

The goal of the three malicious campaigns was to deliver the Alien malware, a downloader for Predator. Alien resides within multiple privileged processes and receives commands from Predator over IPC, including recording audio, adding CA certificates, and hiding apps.


Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022