Cytrox Develop Exploits Against Vulnerabilities in Android and Chrome
North Macedonian spyware developer Cytrox was on Thursday accused of developing exploits against vulnerabilities in Android and Chrome with the intent of targeting its users.
Google’s Threat Analysis Group (TAG) researchers noted that the originators made use of the time difference as an advantage when some critical bugs were patched as the 0-day exploits were used together with day exploits but not identified as security problems and when these patches were deployed fully across the Android ecosystem.
The developer allegedly sold the exploits to government-backed actors located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia, who then turned around and used the bugs in at least three additional campaigns.
Previous Exploits on Vulnerabilities
The same tools were suspected to have been used in a series of attacks. One such was in August 2021 when it exploited Google Chrome on a Samsung Galaxy S21 mobile to force the browser to load another URL into the Samsung Internet browser without requiring user involvement.
An attack chain employing CVE-2021-37973 and CVE-2021-37976 to escape the Chrome sandbox (not to be confused with Privacy Sandbox), used it to drop a second vulnerability to escalate privileges and deploy the backdoor that occurred a month later and was delivered to an up-to-date Samsung Galaxy S10.
Another was last seen in October 2021, when a full Android 0-day exploit was discovered on an up-to-date Samsung phone running the then-current version of Chrome. It used CVE-2021-38003 and CVE-2021-1048 to break out of the sandbox and compromise the system by injecting malicious code into privileged processes.
The operation’s ultimate purpose, according to the researchers, was to spread alien malware, which serves as a precursor to loading Predator onto affected Android devices.
To avoid detection, the virus, which receives commands from Predators via an inter-process communication (IPC) method, is programmed to record audio, add CA certificates, and hide programs.
While CVE-2021-1048 was resolved in the Linux kernel in September 2020, it wasn’t backported to Android until last year since the change wasn’t flagged as a security vulnerability, according to Google TAG. According to the researchers, “attackers are actively hunting for and benefitting from such slow-fixed vulnerabilities.”
