Google concluded that one and the same company was behind the exploitation of five hidden flaws in Chrome and Android, discovered in 2021. And the company decided to name it publicly.
It is in a way the equivalent of “Name and shame”, but applied to digital. In a blog post published on May 19, Google publicly linked the use of five security vulnerabilities to a single company: Cytrox. Her name is still very confidential, but she was at the center of the news, after a case of computer espionage.
It was in December 2021. After the Pegasus spyware, we discovered another malicious tool, nicknamed Predator. The malware proves to be formidable, as it is able to infect Android smartphones and iPhones using a simple link transmitted via WhatsApp. Behind Predator is Cytrox, a company born in North Macedonia.
Cytrox is associated with an alliance of companies eager to compete with NSO Group (which is the origin of Pegasus) in the digital espionage sector. The name of this group? Intellexa. There would be eight partner companies, including Cytrox. According to Gizmodo, Cytrox is a subsidiary of WiSpear, a company described as an expert in wireless interception (in this case, Wi-Fi).
It was the TAG (Threat Analysis Group) team which, on behalf of the Mountain View firm, was responsible for making this attribution, which was made with a high level of confidence, according to Clement Lecigne and Christian Resell , members of the TAG. The role of the TAG is to counter the threats supported in secret by States, within the framework of actions of espionage or hacking.
This work was also carried out in cooperation with another specialized group, Project Zero, whose mission is to detect so-called 0-day critical flaws, because they are not documented or unknown. Project Zero provided technical support to TAG, because the five vulnerabilities in question are precisely 0-day breaches.
Five Secret Rifts Used in Three Offensive Campaigns
In this case, these five security flaws were in the Google Chrome browser for four of them and in the Android operating system for the last. They were exploited through three separate campaigns. All these weaknesses have since been resolved by the teams responsible for developing the mobile OS and the browser.
The first campaign, detected in August 2021, went through Chrome on a Samsung Galaxy S21. The attackers forced the use of Samsung’s browser, which was based on an older and vulnerable version of Chromium, because they could not attack Chrome directly. The technique involved URL redirections, without the Internet user suspecting anything.
The second campaign used two breaches in order to get out of Chrome’s “sandbox”, that is to say a compartmentalized space to precisely avoid concerns overflowing out of the browser. The technique mobilized a Samsung Galaxy S10 and, once out of the sandbox, the malicious tool would look for another one on the net in order to raise the user rights on the terminal.
As for the last campaign, it used two secret flaws from an up-to-date Samsung mobile running the latest version of Chrome. It took advantage of an old Linux kernel flaw, which has certainly been fixed, but the resolution of which has not been deployed retrospectively in most Android kernels. At the time of the exploit, all Samsung cores were vulnerable.