State-backed actors have exploited five zero-day vulnerabilities to deploy Predator spyware on compromised devices, Google’s Threat Analysis Group (TAG) disclosed in a new security report.
In the attacks, part of three malicious campaigns launched between August and October 2021, the perpetrators leveraged zero-day exploits against Chrome and Android OS. They managed to install Predator spyware on fully updated devices, the report shows.
Security experts believe a commercial surveillance company supplied the exploits to various government-backed threat actors who used them in the attacks. According to Google TAG’s analysis, the perpetrators are from Armenia, Egypt, Madagascar, Greece, Serbia, Côte d’Ivoire, Spain and Indonesia.
“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem,” according to Google TAG’s report.
The three campaigns used a total of five previously unknown zero-day Chrome and Android vulnerabilities:
- First campaign–Chrome SBrowser redirection (CVE-2021-38000, Chrome zero-day flaw)
- Second campaign – Chrome sandbox escape (CVE-2021-37976, CVE-2021-37973, Chrome zero-day flaws)
- Third campaign – Complex Android zero-day chain of exploits (CVE-2021-1048, Android zero-day flaw, and CVE-2021-38003, Chrome zero-day flaw)
In all three campaigns, attackers emailed their targets one-time links purporting to be URL shortener services. Accessing the infected link takes the victim to a malicious domain where the exploits are deployed on the compromised system. The victim is then redirected to a legitimate website.
If the attacker’s domain was not active, the victim would land directly on the legitimate website. The campaigns saw the perpetrators deploy an Android banking trojan (Alien) with RAT features, which was used to load the Predator implant. The latter would allow a series of critical permissions on the infected systems, such as hiding apps, recording audio, and adding CA certificates.