Google’s Threat Analysis Group (TAG) on Thursday pointed the finger at a North Macedonian spyware developer named Cytrox for inventing vulnerabilities opposed to zero-day flaws (also known as day 0), 4 in Chrome and one in Android, to target Android users.
“Zero-day exploits were used in conjunction with n-day exploits because the developers took advantage of the time difference between the time when certain critical insects were constant but not reported as security issues and the time the fixes were released. They were fully implemented in the Android ecosystem,” the TAG researchers said. Clément Lecigne and Christian Resell said.
Cytrox allegedly packaged the exploits and sold them to government-backed actors located in Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain, and Indonesia, who, in turn, turned the insects into at least 3 other campaigns.
The ad tracking company is the maker of Predator, an implant of the NSO Group’s Pegasus, and is known for developing equipment that allows its users to access iOS and Android devices.
In December 2021, Meta Platforms (formerly Facebook) revealed that it had acted to remove some 300 accounts on Facebook and Instagram that the company used as part of its engagement campaigns.
The list of five zero-day flaws exploited in Chrome and Android is below:
According to TAG, the 3 campaigns in question started with a spear phishing email containing exclusive links that mimicked URL shortening that, once clicked, would redirect targets to a fake domain that abandons vulnerabilities before taking the victim to a valid domain. site.
“Campaigns were limited; in each case, we estimate the number of targets in dozens of users,” Lecigne and Resell said. “If the link was not active, the user redirected directly to a valid website. “
The ultimate purpose of the operation, the researchers estimated, was to distribute malware called Alien, which acts as a precursor to loading Predator on damaged Android devices.
The “simple” malware, which receives Predator commands and an interprocess communication (IPC) mechanism, is designed to record audio, load CA certificates, and hide programs to evade detection.
The first of the 3 campaigns took place in August 2021. He used Google Chrome as a starting point on a Samsung Galaxy S21 device to force the browser to load some other URL into Samsung’s browser without the need for user interaction by exploiting CVE-2021-38000.
Another intrusion, which occurred a month later and was delivered to an updated Samsung Galaxy S10, concerned a chain of operations that employed CVE-2021-37973 and CVE-2021-37976 to evade Chrome’s sandbox (not for Privacy). Sandbox), taking the opportunity to eliminate a moment of exploitation to lift privileges and implement the backdoor.
The Third Crusade, a full 0-day Android exploit, detected in October 2021 on an updated Samsung phone running the latest edition of Chrome. It combined two vulnerabilities, CVE-2021-38003 and CVE-2021-1048, to evade the sandbox and compromise the formula by injecting malicious code into privileged processes.
Google TAG noted that CVE-2021-1048 was patched in the Linux kernel in September 2020, only retroported to Android last year because the fix was not flagged as a security issue.
“Attackers are actively in favor of these slow-patching vulnerabilities and are taking advantage of them,” the researchers said.
“Addressing the destructive practices of the ad surveillance industry will require a comprehensive and physically powerful strategy that includes cooperation between risk intelligence teams, network advocates, educational researchers, and generation platforms. “
Sign up for the cybersecurity newsletter and get the latest updates right in your inbox.