Google: Predator Spyware Used Zero-Day Vulnerabilities to Infect Android Devices

Colin Thierry Colin Thierry

State-sponsored actors have exploited five zero-day vulnerabilities to infect devices with Predator spyware, Google’s Threat Analysis Group (TAG) disclosed in a security report last week.

The attacks were part of three malicious spyware campaigns launched between last August and October. In these attacks, the threat actors used zero-day exploits against Chrome and Android OS. According to the report, they managed to install Predator spyware on fully updated devices.

Security experts at Google believe that a commercial surveillance company provided the exploits to various government-backed threat actors who deployed them in the attacks. According to Google, the threat actors are from Armenia, Egypt, Madagascar, Greece, Serbia, Côte d’Ivoire, Spain, and Indonesia.

“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem,” said Google TAG’s report.

The three campaigns used a total of five previously unknown zero-day Chrome and Android vulnerabilities in their attacks.

In all three campaigns, attackers emailed their targets one-time links posing as URL shortener services. Accessing this infected link takes the victim to a malicious website where the exploits are used to compromise the system. Afterwards, the victim would get redirected to a legitimate website.

However, if the threat actor’s domain was not active, the victim would land directly on the legitimate website.

The Attacks

The first campaign, detected in August, used Chrome on a Samsung Galaxy S21 and the web server immediately replied with a HTTP redirect (302) pointing to the following intent URL, according to Google. This URL abused a logic flaw and forced Chrome to load another URL in the Samsung Browser without user interaction or warnings.

In September, TAG detected a campaign where the exploit chain was delivered to a fully up-to-date Samsung Galaxy S10 running the latest version of Chrome.

“We recovered the exploit used to escape the Chrome Sandbox, but not the initial RCE exploit,” Google said. “The sandbox escape was loaded directly as an ELF binary embedding libchrome.so and a custom libmojo_bridge.so was used to ease the communication with the Mojo IPCs. This means the renderer exploit did not enable MojoJS bindings like we often see in public exploits.”

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.