Google’s Threat Analysis Group (TAG) found that threat actor used 5 zero-day vulnerabilities to install Predator spyware developed by Cytrox.
The attackers used zero-day vulnerabilities targeting Android Os and Chrome to install spyware on fully updated Android devices.
According to Google’s Analysis, this is a government backed threat actor who purchased and used vulnerabilities to target Android devices with spyware.
The threat actors deployed exploits targeting these zero days in 3 separate campaigns.
- Redirecting to Sbrowser from Chrome (CVE-2021-38000)
- Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)
- Android zero day exploit chain (CVE-2021-38003, CVE-2021-1048)
More TAG research from @_clem1 & @0xbadcafe1
Campaigns targeting Android users with five 0-day vulnerabilities. We assess the exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different govt-backed actors.https://t.co/wRKpCuIB8c
— Shane Huntley (@ShaneHuntley) May 19, 2022
The first campaign, detected in August 2021, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.
In September 2021, TAG detected the second campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome. We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit.
The sandbox escape was loaded directly as an ELF binary embedding libchrome.so and a custom libmojo_bridge.so was used to ease the communication with the Mojo IPCs. This means the renderer exploit did not enable MojoJS bindings like we often see in public exploits.
In October 2021, TAG detected a full chain exploit from an up-to-date Samsung phone running the latest version of Chrome.
More details can be found at Google report.