Google says that one spyware company exploited at least five zero-day vulnerabilities—four in the Chrome browser and one in the Android operating system—throughout 2021.
The company’s Threat Analysis Group (TAG) says(Opens in a new window) the spyware maker in question is a North Macedonian firm known as Cytrox. Precious little is known about Cytrox, but in December 2021, the Citizen Lab at the University of Toronto revealed(Opens in a new window) some information about its activities.
Citizen Lab said Cytrox infected two Egyptians—”exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)”—with its Predator malware in June 2021. Those infections affected iPhones, but TAG says Predator targets Android phones, too.
TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973(Opens in a new window), CVE-2021-37976(Opens in a new window), CVE-2021-38000(Opens in a new window), and CVE-2021-38003(Opens in a new window)) and a single Android zero-day (CVE-2021-1048(Opens in a new window)) last year in “at least three campaigns” believed to be conducted on behalf of various governments.
Cytrox is said to have taken advantage of several known security flaws, also known as “n-days” because patches have been made available for them, too. TAG says these “findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits.”
That isn’t good news for companies that need to defend products used by hundreds of millions of people. Firms like Cytrox are making life increasingly difficult for the security teams at Google, Apple, and Microsoft—and it seems like they aren’t going to get a break any time soon.
Recommended by Our Editors
“Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” Google says. “TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”
More information about how Cytrox exploited these zero-day vulnerabilities to infect Android smartphones as part of three separate campaigns in 2021 is available via TAG’s blog post.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.