Security
Headlines
HeadlinesLatestCVEs

Headline

Predator Spyware Using Zero-day to Target Android Devices

By Deeba Ahmed Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and… This is a post from HackRead.com Read the original post: Predator Spyware Using Zero-day to Target Android Devices

HackRead
#vulnerability#web#ios#android#mac#google#git#asus#samsung#zero_day#chrome

Spyware developer firm Cytrox is under Google’s radar for developing exploits against five 0-day flaws in Android and Chrome.

On Thursday, May 19th, Google’s Threat Analysis Group (TAG) reported that spyware developer/vendor Cytrox had developed exploits against five zero-day vulnerabilities to target Android users with spyware.

According to the details shared by TAG, threat actors are using the infamous Predator spyware in three different campaigns. Predator was previously analyzed in a report from the University of Toronto’s Citizen Lab.

0-days used with n-days to Deploy Spyware

The exploits are developed for four Chrome 0-days and one Android 0-day flaw. In their blog post, TAG researchers Clement Lecigne and Christian Resell explained that the 0-days are used in conjunction with n-day exploits.

Moreover, the attackers are trying to benefit from the time difference between the patching of some critical bugs, which weren’t declared severe security issues, and “when these patches were fully deployed across the Android ecosystem.”

Spyware Details

According to Google, the North Macedonian-based commercial surveillance firm Cytrox has packaged and sold the exploits to different state-backed threat actors in Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.

It is alleged that the buyers have used these bugs in at least three campaigns so far. The Predator spyware is similar to NSO Group’s Pegasus spyware, allowing threat actors to penetrate Android and iOS devices.

About the Three Campaigns using Predator

TAG examined three campaigns and concluded that attackers send one-time URLs to Android users through spear-phishing emails. These links are shortened using a common use URL shortener while the attackers target only a handful of victims. When users click on this malicious URL, they are redirected to a malicious webpage that automatically deploys the exploits and redirects them to a legitimate website.

Once there, the attackers deploy Alien Android malware that loads Cytrox’s Predator. In case the shortened link doesn’t work, the victim is directly taken to the legit website.

List of Exploits

Here’s the list of the 0-day flaws exploited by attackers in Chrome and Android:

  • CVE-2021-1048
  • CVE-2021-37973
  • CVE-2021-37976
  • CVE-2021-38000
  • CVE-2021-38003

The primary aim of attackers behind this operation is distributing Alien malware that is a precursor for deploying Predator spyware onto infected devices. It receives commands from Predator through an IPC (inter-process communication) mechanism and can record audio, hide apps, and add CA certificates to evade detection.

The first campaign was launched in August last year on Google Chrome, targeting the Samsung Galaxy S21 device. One month later, the second campaign targeted an updated Samsung Galaxy S10, while the third was detected in October 2021.

More Android Spyware News

  1. Fake Android Banking Apps Stealing Credentials Via Malware
  2. BRATA Android malware factory resets phones after stealing funds
  3. TangleBot Android malware hijacks phone to steal login credentials
  4. New Android malware TeaBot found stealing data, intercepting SMS
  5. New Russian Android Malware Tracks GPS Location and Spies on Victims

Related news

Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack

Cybersecurity researchers have flagged multiple in-the-wild exploit campaigns that leveraged now-patched flaws in Apple Safari and Google Chrome browsers to infect mobile users with information-stealing malware. "These campaigns delivered n-day exploits for which patches were available, but would still be effective against unpatched devices," Google Threat Analysis Group (TAG) researcher Clement

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).

Hackers Create Malicious Dota 2 Game Modes to Secretly Access Players' Systems

An unknown threat actor created malicious game modes for the Dota 2 multiplayer online battle arena (MOBA) video game that could have been exploited to establish backdoor access to players' systems. The modes exploited a high-severity flaw in the V8 JavaScript engine tracked as CVE-2021-38003 (CVSS score: 8.8), which was exploited as a zero-day and addressed by Google in October 2021. "Since V8

Malicious Game Mods Target Dota 2 Game Users

Valve's unpatched JavaScript engine and incomplete modification vetting process for Steam-delivered mods led to user systems being backdoored.

Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware

A spyware vendor called Cytrox was found to be using several zero-day vulnerabilities in Google's Chrome browser and the Android kernel component. The post Zero-day vulnerabilities in Chrome and Android exploited by commercial spyware appeared first on Malwarebytes Labs.

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

Cytrox's Predator Spyware Target Android Users with Zero-Day Exploits

Google's Threat Analysis Group (TAG) on Thursday pointed fingers at a North Macedonian spyware developer named Cytrox for developing exploits against five zero-day (aka 0-day) flaws, four in Chrome and one in Android, to target Android users. "The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched

CVE-2021-0928: Android Security Bulletin—November 2021

In createFromParcel of OutputConfiguration.java, there is a possible parcel serialization/deserialization mismatch due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10 Android-11 Android-9Android ID: A-188675581

HackRead: Latest News

Postman Workspaces Leak 30000 API Keys and Sensitive Tokens