Cyber mercenaries in the service of government agencies do not know the crisis. Security researchers from Google Threat Analysis Group have just revealed three spying campaigns on Android terminals, detected between August and October 2021 and attributed to the publisher Cytrox, founded in 2017 in North Macedonia. This one was first pinned in December 2021 by The Citizen Lab and cut croupiers to its competitor NSO since the latter was put in trouble on the media and political level. Cytrox’s software would notably have replaced Pegasus within the Saudi repressive apparatus from July 2021.
In any case, from a technical point of view, the Cytrox developers have nothing to be ashamed of in front of their NSO counterparts. The three campaigns analyzed by Google are still based on five zero-day flaws. Four concern the Chrome browser and one the Android OS. “We believe with great confidence that these exploits were integrated by a single commercial surveillance company, Cytrox, and sold to various government actors”claims Google in a blog post.
Also see video:
These campaigns were highly targeted and targeted just a few dozen Android users. They systematically used shortened links inserted in e-mails as an initial infection vector. By clicking on the link, the user is directed to a domain that takes care of the initial infection of the device, before being redirected to a legitimate site so as not to arouse suspicion. The purpose of these campaigns was to install Cytrox’s “Predator” spyware.
One of these campaigns could perhaps have been avoided, because it was based on a bug in the Linux kernel which had been fixed as early as September 2020, a year before it was exploited by Cytrox. “The update was not flagged as a security issue and therefore the fix did not make it into most Android kernels. At the time of the exploit, all Samsung cores were vulnerable”says Google.
This new analysis shows, once again, that surveillance product vendors have reached a level of sophistication that previously only existed within government entities. Google researchers point out that of the nine zero-days discovered in 2021, seven were exploited by such actors for the benefit of government clients. Currently, they have about thirty publishers on their radar that they actively follow.
Source: Google