Google has published a report on a recently discovered spyware campaign. According to the Google Threat Analysis Group (TAG) team, the Cytrox group used zero-day vulnerabilities in the Chrome browser and Android OS to inject Predator software.
TAG reports that Cytrox exploited four zero-day vulnerabilities for the Chrome browser CVE-2021-38000, CVE-2021-37973, CVE-2021-37976 and CVE-2021-38003) and one for Android (CVE-2021-1048). Also, during the campaigns, vulnerabilities were used for which patches have already been released, but they have not yet been fully deployed in the Android ecosystem.
Cytrox works in the following way: the gang distributes via email a link directing the victim to the attacker’s domain, from which Android malware called Alien will be installed on his phone. This program then downloads Predator spyware, which can hide apps and record audio, for example.
This technique, according to the TAG team, has already been used against journalists, political activists, officials, etc. In this case, the researchers found that spyware was used in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
The TAG notes that the campaign is not over and more attacks are to be expected. In addition, experts note the high level of private companies in the development of monitoring software. According to TAG, there are now more than 30 private firms that sell exploits and spyware to various governments.