Hackers exploited several 0-day vulnerabilities to infect Android devices with spy software.
Predator spyware infects androids via 0-day vulnerabilities
A predator is hunting Android users, as reported by Bleeping Computer. Google’s Threat Analysis Group (TAG) warns that government-backed hackers exploited five zero-day vulnerabilities in Android and Chrome to install Predator surveillance and spying software on Android devices. Predator comes from the company Cytrox, which specializes in the development of surveillance software.
The attacks began between August and October 2021. The attackers planted Predator spyware on current Android devices. According to the Google analysis, the state-backed hackers come from Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain and Indonesia. The software is typically used to spy on opponents of the regime and human rights activists or journalists.
Campaigns targeting Android users with five 0-day vulnerabilities. We assess the exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different govt-backed actors. https://t.co/wRKpCuIB8c
— Shane Huntley (@ShaneHuntley) May 19, 2022
The five 0-day vulnerabilities exploited are these: CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 in Chrome, and CVE-2021-1048 in Android.
This is how the attack went
The attack typically worked like this: emails with links that looked like URL shorteners were sent to the targeted Android users — just a few dozen select individuals. Once one of the potential victims clicked on the link in the email, they redirected the target to an attacker-controlled domain that delivered the exploits/malware before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website, as described by Bleeping Computer.
The attackers first installed the Android banking trojan Alien as malware, the description of which can be found here. He then reloaded the Predator. Predator, in turn, allows recording audio data, adding CA certificates and hiding apps.