Google's Threat Analysis Group (TAG) has shared details on three malicious campaigns that targeted owners of Android devices using five zero-day vulnerabilities to install spyware developed by commercial surveillance company Cytrox.

The campaigns carried out between August and October 2021 leveraged zero-day flaws in the Chrome browser and Android OS to plant the Predator spyware (an Android implant described by CitizenLab in December 2021) on Android devices. These vulnerabilities are: CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 (Chrome), CVE-2021-1048 (Android).

The TAG team believes that all these exploits were packaged by Cytrox, and sold to different state-backed actors who used them in at least three campaigns.

“Consistent with findings from CitizenLab, we assess likely government-backed actors purchasing these exploits are operating (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia,” the team said.

The exploits were deployed in three separate campaigns:

• Campaign 1 - redirecting to SBrowser from Chrome (CVE-2021-38000)

• Campaign 2 - Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)

• Campaign 3 - full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

All three observed campaigns involved one-time links mimicking URL shortener services delivered to the targeted Android users via a spear-phishing email. Once clicked, the link redirected the target to an attacker-controlled domain that delivered the exploits before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website.

The goal of the three malicious campaigns was to deliver the Alien malware, a downloader for Predator. Alien resides within multiple privileged processes and receives commands from Predator over IPC, including recording audio, adding CA certificates, and hiding apps.