Last Thursday, Google’s Threat Analysis Group (TAG) disclosed details of three campaigns that feature the use of Predator spyware, developed by North Macedonian company Cytrox. Unlike NSO Group, which developed the powerful Pegasus malware for iOS, this Predator software is aimed at Android users.
Consistent with findings on Cytrox published in December by researchers at the Citizen Lab at the University of Toronto, TAG saw evidence that state-backed actors who purchased Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. And possibly other clients. The hacking tool exploits 5 previously unknown Android vulnerabilities, as well as known flaws for which fixes are available but not for victims.
Shane Huntley, director of Google TAG, said: “It’s important for people to understand the ecosystem of monitoring vendors and how these vulnerabilities are being sold. We want to reduce the number of vendors and governments and others buying their products. The ability for actors to throw out these dangerous zero-days at no cost. If there is no regulation, no harm in using these capabilities, then you will see it more and more.”
The commercial spyware industry gives governments that don’t have the funds or expertise to develop their own hacking tools access to a wide range of products and surveillance services. This gives oppressive regimes and law enforcement broader access to tools that allow them to spy on dissidents, human rights activists, journalists, political opponents and ordinary citizens. While much attention has been focused on spyware targeting Apple’s iOS, Android, the world’s dominant operating system, has been facing similar exploitation attempts.
“We just want to protect users and detect this activity as quickly as possible. We don’t think we can find everything all the time, but we can slow down these actors,” Huntley said.
TAG said it currently tracks more than 30 surveillance rental vendors, which have varying degrees of public presence and offer a range of exploits and monitoring tools. In the three Predator campaigns checked by TAG, the attackers emailed Android users a one-time link that appeared to be shortened with a standard URL shortener.