Cytrox’s Spyware Attack Android Users with Zero-Day Exploits

An analysis carried out by the TAG on Thursday released a list of five zero-day vulnerabilities exploited by Cytrox, a North Macedonian spyware developer.

Four of these five zero-day vulnerabilities were found in Chrome and one in Android. These zero-day vulnerabilities are targeting Android users.

This contains a list of the countries where Cytrox is alleged to have sold exploits and packaged them for sale to government-backed actors including those listed below:-

  • Egypt
  • Armenia
  • Greece
  • Madagascar
  • Côte d’Ivoire
  • Serbia
  • Spain
  • Indonesia

Predator is an implant from the commercial surveillance company that is analogous to Pegasus from NSO Group. One of its most notable achievements is that it developed tools that enable its clients to penetrate iOS and Android devices with ease.

In December 2021, Meta Platforms disclosed that it had acted to remove roughly 300 accounts on Facebook and Instagram that the company used as part of its compromise campaigns.

Flaws Detected

The following are details of the five zero-day vulnerabilities which have been exploited in Chrome and Android:-

  • CVE-2021-37973: It’s a use-after-free in Portals API.
  • CVE-2021-37976: It’s an information leak in the core.
  • CVE-2021-38000: It’s an insufficient validation of untrusted input in Intents.
  • CVE-2021-38003: It’s an inappropriate implementation in V8.
  • CVE-2021-1048: It’s a use-after-free in the Android kernel.

Technical Analysis

As a rule of thumb, all three campaigns began with a spear-phishing email with fake URL shortener services mimicked in a one-time link the users would be needed to click on.

The rogue URLs attack the targets by redirecting them to a rogue domain that drops the exploits before directing them to an authentic site where the exploits will be applied.

The researchers assessed that the ultimate goal of the operation was to have malicious software dubbed “ALIEN” distributed on infected Android devices, a prelude to when Predator is loaded.

In addition to recording audio, adding CA certificates, and hiding apps to evade detection, this “simple” malware runs on a system running Predator over an IPC mechanism.

At the beginning of August 2021, the first of the three campaigns was held. Through exploiting CVE-2021-3810, the attacker was able to force Google Chrome to load another URL in the Samsung Galaxy S21’s Internet browser without the user needing to interact as the browser was forced to load that URL from Google Chrome.

In another intrusion, which took place a month later, on a Samsung Galaxy S 10 running the most recent software update, an exploit chain was used in order to bypass the Chrome sandbox and install the backdoor through an escape mechanism that took advantage of CVE-2021-37973 and CVE-2021-37976.

In October 2021, a Samsung phone running the then latest version of Chrome which was up-to-date was detected to be running the third campaign. Injecting malicious code into privileged processes was how it managed to escape the sandbox and compromise the system by exploiting the following vulnerabilities:-

  • CVE-2021-38003
  • CVE-2021-1048

The Chrome and Android teams at Google must be commended for the speed with which they responded and patched these vulnerabilities.

While currently, Google’s TAG continues to track more than 30 vendors selling exploits and surveillance technologies to government-supported actors with varying levels of sophistication or public exposure.

It would take a comprehensive, robust, and collaborative approach to deal with the harmful practices in the commercial surveillance industry that includes not only partnerships but cooperation as well.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.