NSO group and its powerful Pegasus malware dominates the debate about commercial spyware vendors selling their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the broader surveillance-for-hire industry. As part of that effort, Google’s Threat Analysis Group released details Thursday of three campaigns that use the popular Predator spyware, developed by North Macedonian firm Cytrox, to target Android users.
Consistent with the Cytrox findings published in December by researchers at the University of Toronto’s Citizen Lab, TAG saw evidence that state-sponsored actors who purchased the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had patches available, but the victims were not patched.
“It’s important to shed some light on the surveillance vendor ecosystem and how these exploits are sold,” says Google TAG director Shane Huntley. “We want to reduce the ability of both suppliers and governments and other actors who buy their products to deal with these dangerous zero days at no cost.” If there’s no regulation and no downside to using those opportunities, then you’re going to see it more and more.”
The commercial spyware industry has given governments that lack the funds or expertise to develop their own hacking tools access to a vast array of surveillance products and services. This allows repressive regimes and law enforcement more broadly to acquire tools that allow them to monitor dissidents, human rights activists, journalists, political opponents and ordinary citizens. And while much attention has been focused on spyware that targets Apple’s iOS, Android is the dominant operating system globally and faces similar exploitation attempts.
“We just want to protect consumers and find this activity as quickly as possible,” says Huntley. “We don’t think we can find everything all the time, but we can slow these actors down.”
TAG says it currently tracks more than 30 surveillance-for-hire vendors that have varying levels of public presence and offer a range of exploits and surveillance tools. In the three Predator campaigns investigated by TAG, attackers sent Android users one-off email links that appeared to be shortened with a standard URL shortener. The attacks were targeted, focusing on only a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On this malicious page, the attackers deployed “Alien”, an Android malware designed to load Cytrox’s full-featured spy tool, Predator.
As in the case of iOS, such attacks against Android require sequential exploitation of a series of operating system vulnerabilities. By deploying patches, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But even though this makes it difficult for attackers, the commercial spyware industry still manages to thrive.
“We can’t lose sight of the fact that NSO Group or any of these vendors is just part of a broader ecosystem,” said John Scott-Railton, senior researcher at Citizen Lab. “We need cooperation between platforms so that enforcement and mitigation actions cover the full scope of what these commercial players are doing and make it difficult for them to continue.”
