State-sponsored threat actors have exploited five Android OS and Google Chrome zero-day vulnerabilities to infect Android devices with Cytrox's Predator spyware
in three campaigns from August to October 2021, reports BleepingComputer
Google's Threat Analysis Group noted that Cytrox had packaged the zero-day exploits before being sold to government-backed attackers in Armenia, Cte d'Ivoire, Egypt, Greece, Indonesia, Madagascar, Serbia, and Spain. "All three campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited in each case, we assess the number of targets was in the tens of users," researchers said. The report detailed that the campaigns involved initial Android Alien banking trojan installation prior to Predator spyware deployment, which then enables audio recordings, app concealment, and CA certification inclusion.
"TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors," added researchers.