Pegasus is not alone, Predator malware targeted Android users with five 0-day exploits

Google’s Threat Analysis Group (TAG) has found with ‘high confidence’ that a commercial surveillance company, Cytrox has packaged five Zero-Day (0-Day) exploits and sold to government-backed threat actors.

TAG lists 5 distinct vulnerabilities that were used to target Android users, four affecting Chrome and 1 affecting Android.

“Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors. TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors,” states TAG.

The threat actors used one-time links that looked like popular URL-shortener services and targeted Android users using email. Once clicked, the link redirected the target to an attacker-owned domain that delivered the exploits before redirecting the browser to a legitimate website. If the link was not active, the user was redirected directly to a legitimate website. “We've seen this technique used against journalists and other unidentified targets, and alerted those users, when possible,” says Google.

According to TAG, the payload delivered was ‘ALIEN’ a simple Android malware that has only one job – to load Predator. Once Predator is loaded, ALIEN receives commands from Predator over IPC, which include recording audio, adding CA certificates, and hiding apps.