Spyware vendor Cytrox sold zero-day exploits to government-backed snoops who used them to deploy the firm’s Predator spyware in at least three campaigns in 2021, according to Google’s Threat Analysis Group (TAG).

The Predator campaigns relied on four vulnerabilities in Chrome (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003) and one in Android (CVE-2021-1048) to infect devices with the surveillance-ware. 

Based on CitizenLab’s analysis of Predator spyware, Google’s bug hunters believe that the buyers of these exploits operate in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, Indonesia, and possibly other countries.

“We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns,” Google security researchers Clement Lecigne and Christian Resell wrote in a TAG update this month.

Cytrox, which is based in the Balkan state of North Macedonia, did not respond to The Register‘s request for comment.

“Our findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits,” the researchers wrote, adding that seven of the nine zero-day exploits that TAG discovered last year were developed by commercial vendors and sold to government-backed operators.

While NSO Group and its Pegasus spyware is perhaps the most notorious of these commercial providers, we’re told that TAG is tracking more than 30 such software providers that possess “varying levels of sophistication.” All of them are selling exploits or surveillance malware to governments for supposedly legitimate purposes.

Highly-targeted campaigns

The Predator campaigns were highly targeted to just tens of users hit, according to the Googlers. While the researchers didn’t provide specifics about who these campaigns targeted, they do note that they’ve seen this sort of tech used against journalists in the past. Similarly, CitizenLab’s analysis details Predator spyware being used against an exiled Egyptian politician and an Egyptian journalist.  

Each of the TAG-discovered campaigns delivered a one-time link via email that spoofed URL shortening services. Once clicked, these URLs directed the victims to an attacker-owned domain that delivered Alien, Android malware that loads the Predator spyware and performs operations for it.

“Alien lives inside multiple privileged processes and receives commands from Predator over IPC,” Lecigne and Resell noted. “These commands include recording audio, adding CA certificates, and hiding apps.”

The first campaign, which TAG detected in August 2021, used a Chrome vuln on Samsung Galaxy S21 devices. Opening the emailed link in Chrome triggered a logic flaw in the browser that forced the Samsung-supplied browser to open another URL. The content at that other URL likely exploited flaws in the Samsung browser to fetch and run Alien.

The security researchers surmise that the attackers didn’t have exploits for the then-current version of Chrome (91.0.4472) and instead used n-day exploits against Samsung Browser, which was running an older version of Chromium. 

“We assess with high confidence this vulnerability was sold by an exploit broker and probably abused by more than one surveillance vendor,” they wrote.

The second campaign, which TAG observed in September 2021, chained two exploits: an initial remote code execution and then a sandbox escape. It targeted an up-to-date Samsung Galaxy S10 running the latest version of Chrome.

“After escaping the sandbox, the exploit downloaded another exploit in /data/data/com.android.chrome/p.so to elevate privileges and install the Alien implant,” according to Lecigne and Resell, adding that they haven’t retrieved a copy of the exploit.

TAG analyzed one other campaign, a full Android exploit chain, targeting an up-to-date Samsung phone running the latest version of Chrome. It included a zero-day in JSON.stringify and a sandbox escape, which used a Linux kernel bug in the epoll() system call to gain sufficient privileges to hijack the device.

This particular Linux kernel bug, CVE-2021-1048, was fixed more than a year before the campaign. However, the commit was not flagged as a security issue, so the update wasn’t backported to most Android kernels. All Samsung kernels remained vulnerable when the nation-state backed gangs carried out this exploit. ®