On Thursday, Google's thread analysis group (tag) disclosed the details of three activities. The common feature is the use of the predictor spyware developed by the northern Macedonian company cytrox Unlike the Android malware developed by the pesus group, this software is targeted at Android users
Consistent with the research results on cytrox published by researchers at the University of Toronto's citizen lab in December, tag saw evidence that state supported actors who bought Android vulnerabilities were located in Egypt, Armenia, Greece, Madagascar, C ô te d'Ivoire, Serbia, Spain and Indonesia. And there may be other customers. Hacking tools exploit five previously unknown Android vulnerabilities and known defects. There are available fixes for these defects, but the victims have not fixed them.
Shane Huntley, Google tag director, said: "it's important to let people understand the ecosystem of monitoring suppliers and how these vulnerabilities are sold. We want to reduce the ability of suppliers and governments and other actors who buy their products to throw out these dangerous zero days without any cost. If there is no regulation and the disadvantages of using these capabilities, you will see more and more." 。
The commercial spyware industry provides governments that do not have the funds or expertise to develop their own hacking tools with a wide range of products and monitoring services. This gives oppressive regimes and law enforcement agencies wider access to tools that enable them to monitor dissidents, human rights activists, journalists, political opponents and ordinary citizens. Although a lot of attention is focused on Apple The company has spyware on IOS system, but Android system is the world's mainstream operating system and has been facing similar attempts to use it.
"We just want to protect our users and detect this activity as soon as possible. We don't think we can always find everything, but we can slow down these actors," Huntley said.
Tag said that it has tracked more than 30 rental suppliers, which have different degrees of disclosure, and provide a series of vulnerabilities and monitoring tools. Among the three predictor activities checked by tag, the attacker sent a one-time link to Android users via email, which looked like it was shortened with a standard URL shortener.