NSO and . group Its powerful Pegasus malware has dominated the debate over commercial spyware vendors selling their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the broader surveillance-for-hire industry. As part of this effort, Google’s Threat Analysis Group is publishing details of three campaigns that use the popular Predator spyware, developed by Cytrox in North Macedonia, to target Android users.
In line with findings by researchers at the University of Toronto’s Citizen Lab on Cytrox, TAG found evidence that state-sponsored actors that bought Android exploits are located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia and Spain. , and Indonesia. And there may be other customers. The hacking tools took advantage of five previously unknown Android security vulnerabilities, as well as known flaws that had fixes available but the victims were not patched.
“It is important to shed some light on the ecosystem of monitoring service providers and how these vulnerabilities are sold,” says Shane Huntley, Director of Google TAG. “We want to reduce the ability of sellers, governments, and other actors who buy their products to eliminate these dangerous zero-days at no cost. If there is no regulation and no downside to using these capabilities, you will see that more and more.”
The commercial spyware industry has given governments that don’t have the money or expertise to develop their own hacking tools access to a wide range of monitoring products and services. This allows repressive regimes and broader law enforcement to gain the tools that enable them to monitor dissidents, human rights activists, journalists, political opponents, and ordinary citizens. And while a lot of attention has been focused on Apple’s iOS-targeted spyware, Android is the dominant operating system worldwide and faces similar exploit attempts.
“We just want to protect users and find that activity as quickly as possible,” Huntley says. “We don’t think we can find everything all the time, but we can slow down these actors.”
TAG says it currently tracks over 30 MVR vendors with varying levels of public presence and offer a range of exploitation and monitoring tools. In the three Predator campaigns examined by TAG, attackers sent Android users one-time links via email that appeared to have been shortened using a standard URL shortener. The attacks were targeted, focusing on only a few dozen potential victims. If a target clicks on the malicious link, it will take them to a malicious page that automatically started spreading the exploits before quickly redirecting them to a legitimate website. On that malicious page, the attackers spread “Alien”, an Android malware designed to download Cytrox’s full spy tool, Predator.
As with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors to the drawing board to develop new or modified vulnerabilities. But while this makes it more difficult for attackers, the commercial spyware industry can still thrive.
“We cannot lose sight of the fact that the NSO Group or any one of these vendors is just one part of a broader ecosystem,” says John Scott Railton, Senior Researcher at Citizen Lab. “We need cross-platform collaboration so that enforcement and mitigation measures cover the full scope of what these commercial players are doing and make it difficult for them to continue.”