Android smartphones in a number of countries around the world have been targeted by powerful PREDATOR spyware, researchers from Google’s Threat Analysis Group (TAG) have warned.
The company’s recent report says that the spyware, allegedly developed by a commercial entity – a company called Cytrox, headquartered in Skopje, North Macedonia – is capable of recording audio, adding CA certificates, and hiding apps.
Cytrox is being distributed via email, with victims receiving a message carrying a one-time link mimicking a URL shortener service. Once clicked, the victim would then be redirected to a domain owned by the attacker, that would deliver simple Android spyware called ALIEN.
ALIEN and PREDATOR
The target endpoint would then be redirected to a legitimate site, to minimize suspicion.
ALIEN, which lives inside multiple privileged processes, would then load PREDATOR, and receive further commands from the spyware over IPC, such as audio recording.
This technique, the TAG team says, was seen to be used before against journalists.
In this particular case, while specific targets are not known, the researchers have found the spyware to be used at least by government-backed actors in Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain, and Indonesia.
The findings have once again placed commercial entities, developing “legitimate” spyware, into the limelight. Companies such as the NSO Group have been building powerful malware and selling it to governments around the world, claiming their tools assist law enforcement agencies in the fight against terrorism, and other threats to national security.
However, security firms have found these tools to be used, numerous times, against journalists, political activists, the opposition, whistleblowers, close family members of high-ranking officials, etc.
This has prompted privacy and human rights activists to demand its termination and in some countries, it worked. NSO Group, and its products, for example, have been banned in the United States.