"Spyware Vendors Target Android With Zero-Day Exploits" 19 May 2022

Google's Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.

In line with findings on Cytrox published in December by researchers at University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who bought the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available but that victims hadn’t patched...

...TAG says it currently tracks more than 30 surveillance-for-hire vendors that have ranging levels of public presence and offer an array of exploits and surveillance tools. In the three Predator campaigns TAG examined, attackers sent Android users one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were targeted, focusing on just a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On that malicious page, attackers deployed “Alien,” Android malware designed to load Cytrox's full spyware tool, Predator....