Predator Spyware Exploited 5 Android Zero-Day Bugs

Researchers from Google found five different zero-day bugs that the notorious Predator spyware exploited to target Android devices.

Predator Spyware Exploiting Android Zero-Day Bugs

In a recent post, Google Threat Analysis Group (TAG) researchers have shared details about the Predator malware campaigns exploiting Android zero-day vulnerabilities.

As explained, they previously found the malware exploiting other zero-day flaws in 2021. And now, they have shared details about the five vulnerabilities exploited recently. These include the following four vulnerabilities in Google Chrome.

The fifth bug affected the Android OS. Identified as CVE-2021-1048, it was a use after free flaw leading to local privilege escalation.

While all the five bugs have already received the fixes, the threat actors behind the malicious campaign still managed to exploit them effectively. Describing this phenomenon, the researchers stated,

The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.

Predator is powerful spyware from the commercial surveillance firm Cytrox. It also performs stealth spying and data-stealing activities, like the notorious Pegasus malware, on the target device.

The malware can reach the target via various means. In the three campaigns that the researchers analyzed, the malware reached the victims via shortened URLs delivered by emails. Clicking on the malicious link would redirect the victim to a legitimate website while delivering the malware in between. Hence, the malware escaped visual detection as the victim would not suspect the link upon reaching the legitimate site.

Upon reaching the device, the malware would then establish itself and gain persistence to steal data.

The researchers observed that these campaigns targeted tens of users. Whereas the attacks belonged to state-based actors based (at least) in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients