A new report from Google’s Threat Analysis Group exposes the use of five different zero-day vulnerabilities targeting Chrome browser and Android operating systems.
Google assesses with high confidence that these exploits have been packaged by a single commercial surveillance company named Cytrox.
Cytrox is North Macedonian company with bases in Israel and Hungary that was exposed in late 2021 for being the developing and maintaining company of a spyware dubbed “Predator.” Meta also exposed that company, amongst 6 other companies providing surveillance-for-hire services, and took actions against it, banning them from their services while alerting suspected targets about possible compromises. 300 Facebook and Instagram accounts related to Cytrox have been removed by Meta.
The new research from Google explains that Cytrox sells these new exploits to government-backed actors, who then used them in three different attack campaigns. Those actors who bought the Cytrox services are located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia.
SEE: Mobile device security policy (TechRepublic Premium)
Three ongoing campaigns packaging the exploits
The three campaigns exposed by Google’s TAG team all start by delivering on-time links mimicking URL shortener services. Those are sent to the targeted Android users via email. Once clicked, the link led the unsuspecting target to an attacker-owned domain delivering the exploits before showing a legitimate website to the target.
The final payload, called ALIEN, is a simple Android malware used to load and execute PREDATOR, the Cytrox malware of choice.
In terms of targeting, all three campaigns were low, meaning that each campaign targeted about only tens of users.
First campaign: Exploits CVE-2021-38000
This campaign, discovered in August 2021, targeted Chrome on a Samsung Galaxy smartphone. The link sent by the attackers, once opened with Chrome, led to a logic flaw abuse which forced Chrome to load another URL in Samsung Browser, which was running an older and vulnerable version of Chromium.
That vulnerability was probably exploited because the attackers did not have exploits for the Chrome version on that phone (91.0.4472). According to Google, it was sold by an exploit broker and probably abused by several surveillance vendors.
Second campaign: Chrome Sandbox
Just as with the first campaign, this second one also targeted a Samsung Galaxy. The phone was fully up-to-date and running the latest Chrome version. Analysis of the exploit identified two different Chrome vulnerabilities, CVE-2021-37973 and CVE-2021-37976.
After the sandbox escape was successful, the exploit downloaded another exploit to elevate the users privileges and install the implant. A copy of the exploit could not be obtained.
Third campaign: Full Android zero-day exploit
That campaign detected in October 2021 triggered a full chain exploit from an up-to-date Samsung smartphone once again running the latest version of Chrome.
Two zero-day exploits have been used, CVE-2021-38003 and CVE-2021-1048, to enable the attackers to install their final payload.
Patching problem raised
CVE-2021-1048, which allows an attacker to escape the Chrome sandbox and compromise the system by injecting code into privileged processes, was fixed in the Linux kernel in September 2020, about a year before the attack campaign discovered by Google.
The commit for that vulnerability was not flagged as a security issue, resulting in the patch not being backported in most Android kernels. A year after the fix, all Samsung kernels were vulnerable, and likely many more smartphone brands running Android systems were affected as well. LTS kernels running on Pixel phones were recent enough and included the fix for the vulnerability.
Google highlights the fact that it is not the first time such an incident happened and mentions another example – the Bad Binder vulnerability in 2019.
This issue in backporting some patches is profitable to attackers who are actively looking for slowly-fixed vulnerabilities.
More than Cytrox in the wild
Google states that they are currently tracking more than 30 vendors with different levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors and will keep updating the community as they uncover those campaigns.
These kinds of commercial entities generally have complex ownership structures, quick rebranding and alliances with partners in the financial field that make it harder to investigate them, but it is still possible to detect their spyware in corporate networks.
How can you protect yourself from this threat?
Threats on Android phones are harder to detect than on laptops because smartphones often lack security compared to computers.
For starters, the operating system and all applications should always be up-to-date and patched.
Security tools should be deployed on smartphones, and installation of unnecessary applications on the devices should be forbidden, in addition to forbidding installation of third-party applications coming from unreliable sources.
Every application’s permissions should be checked carefully, especially when installing a new one. Users should be extra cautious when installing applications that request the rights to manipulate SMS or record audio, which may be a warning sign for a spyware.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.