Google’s Threat Analysis Group reveals how commercial spyware was used to hack into Android
Google’s Threat Analysis Group (TAG) has discovered three zero-day malware government-backed campaigns that used the Predator spyware suite developed by commercial surveillance firm Cytrox. The hacking group took advantage of five previously unknown Android vulnerabilities and some vulnerabilities that were known but not patched by the victims. The attacks were similar to those conducted using the infamous Pegasus software from NSO.
A zero-day is an unidentified vulnerability in a system that is not known to the developers who created the software. A zero-day attack is when hackers take advantage of such vulnerabilities to gain unauthorised access to a system. Google’s Project Zero researchers had earlier reported on a sharp uptick in the discovery of such exploits in 2021.
TAG has concluded with high confidence that the latest discovered exploits were packaged by Cytrox and sold to different government-backed actors who used them in at least three campaigns. The group assessed that the government-backed actors purchasing these exploits are operating in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
The actors used these zero-day exploits alongside other discovered vulnerabilities, because the malware developers were able to take advantage of the time difference between when some critical bugs were discovered and when patches for them were deployed across the Android ecosystem.
According to TAG, these findings emphasise how commercial surveillance vendors have built capabilities that were historically only used by governments with the technical expertise to develop and operate such exploits. The proliferation of such commercial surveillance companies means that these capabilities are now available for any government that can buy them.
All three campaigns delivered links mimicking URL shortener services targeted to Android users through email. Once a user clicked a link, they would be redirected to an attacker-owned domain that would deliver the exploits before redirecting to a legitimate website.
If the malware link was not active, the user would be directly sent to a legitimate website. Google saw that these techniques were used against journalists and other unidentified targets, whom the company alerted whenever possible.
These campaigns delivered an Android malware called ALIEN, an Android implant that lives inside the device and receives commands from PREDATOR, an Android implant. These commands included recording audio, adding CA certificates and hiding apps.