Researchers from Google’s Threat Analysis Group, TAG have recently warned about powerful PREDATOR spyware that is targeting Android devices, worldwide. Google’s TAG looks out for zero-day vulnerabilities which can be exposed by cybercriminals and other threat actors as a part of its ongoing efforts to make Android smartphones more secure. These vulnerabilities pose a serious threat as they have just been disclosed and Google has issued patches to fix them.
What is the Predator spyware?
Recent reports from the tech giant mention that the Predator spyware is allegedly developed by a commercial entity. Google suspects that this spyware is developed by a company called Cytrox which is headquartered in Skopje, North Macedonia. This malicious spyware is capable of recording audio, adding CA certificates, and even hiding apps. The Predator spyware was sold to government-backed threat actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia where it was used covertly to spy on high-value targets like political rivals, journalists and other outspoken critics of their respective governments.
How did Google’s TAG discover this spyware?
TAG has highlighted three separate campaigns that took place between August and October of 2021 in a new blog post. In these campaigns, state-backed attackers used five different zero-day vulnerabilities to install the Predator spyware on fully updated Android devices.
How do ALIEN and PREDATOR spyware work?
Cytrox is using emails to distribute this spyware where victims are receiving a message that comes attached with a one-time link that imitates a URL shortener service. Victims are being redirected to a domain owned by the attacker once they click on the link. This domain will deliver a simple Android malware called ALIEN before redirecting their browser to a legitimate website.
The Alien Android malware is responsible for loading the Predator spyware which first infected the targeted Android devices. Alien receives commands from Predator which allow the spyware to record audio, add CA certificates and even hide apps on a user’s device.
Against whom is the Predator spyware used?
Spywares like Predator and Pegasus are not used like traditional malware. This spyware is used against high-value targets such as journalists and politicians. For example, the number of target users in the campaigns discussed by Google was in the tens. Unlike Emotet and WannaCry, where thousands or millions of users were affected. Nevertheless, it is important to be aware of the spyware and take necessary steps to avoid falling victim to them. Attackers can use this spyware to track your online activities across the web and build a profile on you.
What are zero-day vulnerabilities and why do attackers often use them?
Zero-day vulnerabilities have a wider attack surface so cybercriminals and other threat actors prefer to leverage them in their attacks. Usually, vulnerabilities are less harmful once a patch for them has been released. However, it can still expose users who haven’t updated their systems or software. In the case of zero-day vulnerabilities, a patch is yet to be written and distributed, so there’s a much higher chance of their attacks being successful.
Users can still fall victim to a zero-day attack even if they keep their system and software up-to-date. This is the reason for Google’s TAG and other cybersecurity experts to be constantly on the lookout for new zero-day vulnerabilities that are yet to be exploited by the attackers. This constant search will allow them to alert vendors before these vulnerabilities are discovered by cybercriminals and create a patch to fix them as soon as possible.