Google concluded that the same company is behind exploiting five hidden bugs in Chrome and Android discovered in 2021. And the company decided to call it public.
It’s sort of the equivalent of Name and Shame but translated to digital. In a blog post published on May 19, Google publicly linked the use of five vulnerabilities to a single company: Cytrox. Her name is still very confidential, but she was in the news after a case of computer espionage.
It was December 2021. After Pegasus spyware, we discovered another malicious tool nicknamed Predator. The malware is proving to be powerful as it can infect Android smartphones and iPhones via a simple link sent via WhatsApp. Behind Predator is Cytrox, a company founded in North Macedonia.
Cytrox is associated with an alliance of companies seeking to compete with NSO Group (the origin of Pegasus) in the field of digital espionage. The name of this group? Intellexa. There would be eight partner companies, including Cytrox. According to Gizmodo, Cytrox is a subsidiary of WiSpear, a company described as an expert in wireless (in this case Wi-Fi) eavesdropping.
According to Clement Lecigne and Christian Resell, members of TAG, it was the TAG (Threat Analysis Group) team that was responsible for this mapping on behalf of the Mountain View company, which was done with a high degree of trust. The TAG’s role is to counter espionage or hacking threats secretly supported by states.
This work was also done in collaboration with another specialized group, Project Zero, whose job is to detect so-called 0-day critical bugs because they are undocumented or unknown. Project Zero provided technical support to TAG because the five vulnerabilities in question are exactly 0-day breaches.
Five secret rifts used in three offensive campaigns
In this case, those five vulnerabilities were four in the Google Chrome browser and the last in the Android operating system. They were exploited in three separate campaigns. All of these vulnerabilities have since been fixed by the teams responsible for developing the mobile operating system and browser.
The first campaign, spotted in August 2021, ran via Chrome on a Samsung Galaxy S21. The attackers forced the use of Samsung’s browser, which was based on an older and vulnerable version of Chromium, since they couldn’t attack Chrome directly. The technique involved URL redirects unbeknownst to the internet user.
The second campaign used two breaches to get out of Chrome’s “sandbox,” a closed space precisely to avoid concerns overflowing from the browser. The technique mobilized a Samsung Galaxy S10 and as soon as it left the sandbox, the malicious tool searched the net for another to elevate user rights on the terminal.
The last campaign used two secret bugs from a recent Samsung phone running the latest version of Chrome. It exploited an old Linux kernel bug that has certainly been fixed, but the resolution of which was not subsequently provided in most Android kernels. At the time of the exploit, all Samsung cores were vulnerable.