Spyware Predator Uses Five 0-day Vulnerabilities to Attack Android Users

Analysts at the Google Threat Analysis Group (TAG) have discovered that government hackers use five zero-day vulnerabilities at once to install the Predator spyware, created by commercial spyware developer Cytrox.

Let me remind you that we also wrote that Vulnerability in WordPress Tatsu Builder Plugin Is under Attack.

The researchers say they recorded three campaigns that lasted from August to October 2021. In these attacks, the attackers used 0-day exploits targeting Chrome and Android, even on fully updated Android devices. At the same time, exploit experts “with a high degree of confidence” associate these vulnerabilities and their exploitation with Cytrox from North Macedonia.

According to TAG, government hackers purchased and used these exploits to infect Android devices with spyware in Egypt, Armenia, Greece, Madagascar, Cote d’Ivoire, Serbia, Spain and Indonesia.

0-day exploits have been used alongside n-day exploits as developers have taken advantage of the gap between the time when some critical bugs are already fixed but not yet flagged as a security issue, and the time when these fixes are already fully deployed in the Android ecosystem.experts write.

The following vulnerabilities were used to distribute Predator:

  1. CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome;
  2. CVE-2021-1048 in Android.

Exploits for these problems were used in three separate campaigns:

  1. campaign #1 – redirect to SBrowser from Chrome (CVE-2021-38000);
  2. campaign #2 – Chrome Sandbox Escape (CVE-2021-37973, CVE-2021-37976);
  3. campaign #3 — a chain of 0-day exploits for Android (CVE-2021-38003, CVE-2021-1048).
All three campaigns delivered one-time links that mimic URL shortening services to targeted Android users via email. Campaigns were limited – in each case, we estimate the number of goals by dozens of users. After clicking on the link, it redirected the victim to a domain owned by the attacker who used the exploits before redirecting the browser to a legitimate site. If the link was inactive, the user was immediately taken to a legitimate site.the TAG report says.

The attackers’ ultimate goal was to distribute the Alien RAT malware, which was used to download Predator onto infected devices. This malware received commands from Predator via an IPC mechanism, could record audio, add CA certificates, and hide applications to avoid detection.

Leave a Comment

About William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.