Cytrox’s Predator spyware used zero-day exploits in 3 campaigns

Pierluigi Paganini May 23, 2022

Google’s Threat Analysis Group (TAG) uncovered campaigns targeting Android users with five zero-day vulnerabilities.

Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

The attacks aimed at installing the surveillance spyware Predator, developed by the North Macedonian firm Cytrox.

The five 0-day vulnerabilities exploited by the attackers:

  • , , ,  in Chrome;
  •  in Android;

Below are the three campaigns documented by Google TAG, and the way the flaws were exploited:

  • Campaign #1 – redirecting to SBrowser from Chrome (CVE-2021-38000)
  • Campaign #2 – Chrome sandbox escape (CVE-2021-37973, CVE-2021-37976)
  • Campaign #3 – Full Android 0-day exploit chain (CVE-2021-38003, CVE-2021-1048)

According to Google, the exploits were included in Cytrox’s commercial surveillance spyware that is sold to different nation-state actors, including Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

“The 0-day exploits were used alongside n-day exploits as the developers took advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.” reads the advisory published by Google. “Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

In December a report published by CitizenLab researchers detailed the use of the Predator Spyware against exiled politician Ayman Nour and the host of a popular news program.

The disconcerting aspect of these attacks is that Ayman Nour’s phone was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware, operated by two different nation-state actors.

Back to the campaigns uncovered by Google TAG, they were targeting a limited number of targets, in all the attacks, the attackers delivered one-time links mimicking URL shortener services to the targeted Android users via email.

Upon clicking on the link, the victim is redirected to a domain under the control of the attackers that was used to deliver the exploits before redirecting the browser to a legitimate website.

The exploits were used to first deliver the ALIEN Android banking Trojan that acts as a loader for the PREDATOR implant.

“ALIEN lives inside multiple privileged processes and receives commands from PREDATOR over IPC. These commands include recording audio, adding CA certificates, and hiding apps.” continues the report.

“TAG continues to track more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.

Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)

To nominate, please visit: 

Follow me on Twitter: and

[adrotate banner=”9″][adrotate banner=”12″]

(SecurityAffairs – hacking, Predator)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment