Cyber surveillance attacks using packaged zero-day

An earlier exposed commercial surveillance company sold spyware services called “Predator”. It continues to target users and uses 0-day vulnerabilities to compromise Android phones. Find out how you can protect yourself against it.

Must Read: cd jewel case covers

Google Threat Analysis Group has released a new report that reveals five zero-day vulnerabilities in Chrome browser and Android operating system.


Google believes that the exploits were packaged by Cytrox, a commercial surveillance company.

Cytrox is North Macedonian company with bases in Israel and Hungary that was exposed in late 2021 for being the developing and maintaining company of a spyware dubbed “Predator.” Meta also exposed that company, amongst 6 other companies providing surveillance-for-hire services, and took actions against it, banning them from their services while alerting suspected targets about possible compromises. Meta has removed 300 Cytrox-related Instagram and Facebook accounts.

Google’s new research reveals that Cytrox sells these exploits to government-backed actors who then use them in three attack campaigns. The Cytrox service was purchased by actors in Egypt, Armenia and Greece as well as Madagascar, Cote d’Ivoire (Serbia), Spain, Indonesia, and Serbia.

Never Miss: mobile accessories enhance your mobility

Three campaigns continue to package the exploits

Google’s TAG team exposed three campaigns that started with delivering links to URL shortener websites. These links are sent via email to the targeted Android users. Clicking the link took the target to an attacker-owned website, which delivered the exploits and then showed him a legitimate site.

The last payload, ALIEN, is a simple Android malware that loads and executes PREDATOR, Cytrox’s preferred malware.

All three campaigns had low targeting. Each campaign was targeted at a few tens of thousands of users.

First campaign: Exploits CVE-2021-38000

The August 2021 attack on Chrome was discovered by the attackers using a Samsung Galaxy phone. Once the link was opened by Chrome, it led to a logic flaw that forced Chrome to load another URL in Samsung Browser. This older version of Chromium was vulnerable.

This vulnerability was likely exploited as the attackers didn’t have exploits for Chrome on the phone (91.0.4472). Google claims that it was sold to an exploit broker, and likely abused by multiple surveillance vendors.

Also Read: choose appropriate mobile accessories

Chrome Sandbox: Second Campaign

The second campaign targeted the Samsung Galaxy just like the first. The latest Chrome version was installed on the phone. The exploit revealed two Chrome vulnerabilities: CVE-202-27973 and CVE-202-27976.

After the sandbox escape was completed, the exploit downloaded another exploit that would allow the user to gain privileges and install an implant. It was impossible to obtain a copy of the exploit.

Most popular: three mobile accessories performance becomes easier

Third campaign: Full Android zero-day exploit

The October 2021 campaign was detected and triggered a complete chain exploit using a Samsung smartphone running the most recent version of Chrome.

To allow attackers to install the final payload, they used CVE-2021-38003 (zero-day exploit) and CVE-2021-1048.