NSO Group and that is Pegasus’ powerful malware has dominated the debate about commercial spyware vendors selling their hacking tools to the government, but researchers and tech companies are increasingly sounding the alarm about the activity. in the rental supervision industry. As part of this effort, the Google Threat Analysis Team is detailed publication on Thursday out of three campaigns using the popular Predator spyware, developed by North Macedonian company Cytrox, to target Android users.
suitable for detect on Cytrox published in December by researchers at the University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors purchased Android exploits in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia. And there may have been other customers. The hacking tools took advantage of 5 previously unknown Android vulnerabilities, as well as known vulnerabilities for which fixes were available but the victims did not patch.
“It is important to shed some light on the ecosystem of the monitoring provider and how these exploits are sold,” said Google TAG director Shane Huntley. “We want to reduce the ability of both suppliers and governments and other actors to buy their products to live in these danger-free days without any cost. If there is no regulation and no downside to using these abilities, then you will see it more and more. ”
The commercial spyware industry has provided governments without the funding or expertise to develop their own hacking tools access to expansion array of surveillance products and services. This allows repressive and law enforcement regimes more broadly to have tools that allow them to survey dissidents, human rights activists, journalists, political opponents and citizens. normal. And while a lot of attention has been focused on spyware targeting Apple’s iOS, Android is the dominant operating system worldwide and is facing similar exploitation attempts.
“We just wanted to protect our users and find this activity as quickly as possible,” Huntley said. “We don’t think we can find everything all the time, but we can slow down these triggers.”
TAG says it currently tracks more than 30 rental surveillance providers that have varying degrees of public presence and offer a wide range of exploits and monitoring tools. In the three Predator campaigns TAG examined, the attackers sent Android users one-time links via email that looked like they had been shortened with a standard URL shortener. The attacks are targeted, focusing only on a few dozen potential victims. If the target clicks on the malicious link, it takes them to a malicious page that automatically initiates exploits before quickly redirecting them to a legitimate website. On that malicious site, the attackers deployed “Alien,” Android malware designed to load Cytrox’s full-fledged spyware tool, Predator.
As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, OS manufacturers can circumvent these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But while this makes it more difficult for attackers, the commercial spyware industry can still thrive.
“It’s unlikely that we’ll see the NSO Group or any of these vendors as just one part of a broader ecosystem,” said John Scott-Railton, a senior research fellow at Citizen Lab. “We need cross-platform collaboration so that enforcement actions and mitigations cover the full range of activities of these commercial players and make it harder for them to continue.”
