NSO Group and its powerful Pegasus malware have dominated the debate over commercial spyware vendors who sell their hacking tools to governments, but researchers and tech companies are increasingly sounding the alarm about activity in the wider surveillance-for-hire industry. As part of this effort, Google’s Threat Analysis Group is publishing details on Thursday of three campaigns that used the popular Predator spyware, developed by the North Macedonian firm Cytrox, to target Android users.
In line with findings on Cytrox published in December by researchers at Toronto’s Citizen Lab University, TAG saw evidence that state-sponsored actors who bought the Android exploits were located in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. And there may have been other customers. The hacking tools took advantage of five previously unknown Android vulnerabilities, as well as known flaws that had fixes available but that victims had not patched.
“It’s important to shine some light on the surveillance vendor ecosystem and how these exploits are being sold,” says Google TAG director Shane Huntley. “We want to reduce the ability of both vendors and governments and other actors who buy their products to throw around these dangerous zero-days without any cost. If there’s no regulation and no downside to using these capabilities, then you’ll see it more and more. ”
The commercial spyware industry has given governments that do not have the funds or expertise to develop their own hacking tools access to an expansive array of products and surveillance services. This allows repressive regimes and law enforcement more broadly to acquire tools that enable them to surveil dissidents, human rights activists, journalists, political opponents, and regular citizens. And while a lot of attention has been focused on spyware that targets Apple’s iOS, Android is the dominant operating system worldwide and has been facing similar exploitation attempts.
“We just want to protect users and find this activity as quickly as possible,” Huntley says. “We don’t think we can find everything all the time, but we can slow these actors down.”
TAG says it currently tracks more than 30 surveillance-for-hire vendors that have ranging levels of public presence and offer an array of exploits and surveillance tools. In the three Predator campaigns TAG examined, attackers sent Android users one-time links over email that looked like they had been shortened with a standard URL shortener. The attacks were targeted, focusing on just a few dozen potential victims. If a target clicked on the malicious link, it took them to a malicious page that automatically began deploying the exploits before quickly redirecting them to a legitimate website. On that malicious page, attackers deployed “Alien,” Android malware designed to load Cytrox’s full spyware tool, Predator.
As is the case with iOS, such attacks on Android require exploiting a series of operating system vulnerabilities in sequence. By deploying fixes, operating system makers can break these attack chains, sending spyware vendors back to the drawing board to develop new or modified exploits. But while this makes it more difficult for attackers, the commercial spyware industry has still been able to flourish.
“We can’t lose sight of the fact that NSO Group or any of these vendors is just one piece of a broader ecosystem,” says John Scott-Railton, a senior researcher at Citizen Lab. “We need collaboration between platforms so that enforcement actions and mitigations cover the full scope of what these commercial players are doing and make it harder for them to continue.”