As part of its continuous efforts to make Android smartphones more secure, Google’s Threat Analysis Group TAG monitors for zero-day vulnerabilities that can be exploited by hackers and other threat actors. Recently TAG has issued a warning about a potent PREDATOR spyware that is targeting Android smartphones globally.
These vulnerabilities represent a substantial threat because they were just recently identified, and Google has issued patches to fix them.
What is the Predator spyware?
According to recent reports from the Tech giant, the Predator spyware is supposedly developed by a commercial entity. Google suspects that this spyware was created by Cytrox, a company based in Skopje, North Macedonia. This malicious spyware may capture audio, add CA certificates, and even hide apps. The Predator spyware was sold to state-sponsored threat actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia, where it was used covertly to spy on high-value targets such as political rivals, journalists, and other vocal opponents of their respective governments.
How did Google’s TAG discover this spyware?
In a new blog post, TAG detailed three distinct campaigns that took place between August and October 2021. State-sponsored attackers utilized five different zero-day vulnerabilities to install the Predator spyware on fully updated Android smartphones.
How do ALIEN and PREDATOR spyware work?
Cytrox distributes this spyware through email, with victims getting a message that includes a one-time link that looks like a URL shortener service. When victims click on the link, they are forwarded to the attacker’s domain. This URL will distribute ALIEN, a basic Android malware, before redirecting the user’s browser to a genuine website.
The Alien Android malware is in responsible for loading the Predator spyware, which first infected the targeted Android smartphones. Predator sends orders to Alien, allowing the spyware to capture audio, install CA certificates, and even hide apps on a user’s device.
Against whom is the Predator spyware used?
Spywares such as Predator and Pegasus are not utilized in the same way that regular malware are. This spyware is used to attack high-value targets such journalists and politicians. For example, the number of target users in the campaigns discussed by Google was in the tens. Unlike Emolet and WannCry, which affected thousands or millions of people. Nonetheless, it is critical to be aware of spyware and take the appropriate precautions to prevent being a victim of it. Attackers can use this spyware to monitor your internet behavior and build a profile on you.
What are zero-day vulnerabilities and why do attackers often use them?
Zero-day vulnerabilities have a wider attack surface so cybercriminals and other threat actors prefer to leverage them in their attacks. Usually, vulnerabilities are less harmful once a patch for them has been released. However, it can still expose users who haven’t updated their systems or software. In the case of zero-day vulnerabilities, a patch is yet to be written and distributed, so there’s a much higher chance of their attacks being successful.
Users can still fall victim to a zero-day attack even if they keep their system and software up to date. This is the reason for Google’s TAG and other cybersecurity experts to be constantly on the lookout for new zero-day vulnerabilities that are yet to be exploited by the attackers. This constant search will allow them to alert vendors before these vulnerabilities are discovered by cybercriminals and create a patch to fix them as soon as possible.
- Crypto is Cybercrime’s Currency of Choice - June 26, 2022
- Web App & API Security Needs an Overhaul: Here’s How - June 26, 2022
- Google Issues Warning on State of the Art Predator Spyware - June 1, 2022
