With the many people that use Android phones as their daily driver, the data those people generate can be extremely valuable.
Hackers know this very well, and that is why they lurk in the shadows, preying on anyone who crosses path with them, or is weak enough to be exploited and to be drained dry. Among the ways, the most popular methods to hack devices is to plant a malware.
And this time, a malware was found with potential damages so severe that Google has to sound the alarm.
According to a report, Google's Threat and Analysis Group (TAG), a malware is actively being used on state cyberattacks, facilitated by a private company.
At the moment of finding, the malware is said to have been used in at least three campaigns, including one that successfully infiltrated the phone of an exiled Egyptian politician.
Google fears that the malware can, or is being used by countries with oppressive governments, or by commercial surveillance companies who wish to keep an eye on dissidents.
The malware is similar to NSO Group’s Pegasus spyware, which allows threat actors to spy on journalists and high-profile individuals.
What's found here is that, the malware exploits five unnoticed vulnerabilities (four Chrome and one Android flaw), called zero-day vulnerabilities.
The method of attack, starts with the hackers sending their targets one-time URLs through spear-phishing emails.
The links send targets to a malicious website the hackers control.
When users click on this malicious URL, they are redirected to a malicious webpage that automatically launches the exploits and redirects, before redirecting the visitors to a legitimate website.
The attack loads the 'Predator' malware, that can conduct surveillance by discretely recording data from the microphone and engaging in other acts of unwanted surveillance acts, including the hijacking of all call logs and texts, as well as controlling notifications to mask itself from detection.
It's worth noting that the Predator malware was previously analyzed in a report from the University of Toronto’s Citizen Lab.
But in this particular case, Google assess that these campaigns were delivering the Alien malware first, before loading the Predator.
The Alien lives inside multiple privileged processes and receives commands from the Predator.
While the Predator's primary target seems to be Android phones, it is said that it can also infect Apple's iOS systems by exploiting the operating system's shortcuts and automations features.
In the report, it is said that the company behind this Predator malware, is called Cytrox.
Cytrox, founded in 2017 by Ivo Malinkovski, provides governments with an "operational cyber solution" that includes gathering information from devices and cloud services.
Again, this is similar to the Israeli NSO Group.
In a more detail explanation about its product, the company sells technology that is defined as "cyber intelligence systems designed to offer security" to governments and assist with "designing, managing and implementing cyber intelligence gathering in the network, enabling businesses to gather intelligence from both end devices as well as from cloud services."
Read: This 'Xenomorph' Is Average, But Packs The Potentials To Be A Killer Malware
Cytrox's clients include Greece, Egypt, Serbia, Madagascar, Indonesia, Spain, Côte d’Ivoire, and Armenia.
And also like NSO Group, the North Macedonian-based commercial surveillance firm Cytrox has also clashed with Facebook's parent company Meta for its "cyber mercenary" practices.
"Tackling the harmful practices of the commercial surveillance industry will require a robust, comprehensive approach that includes cooperation among threat intelligence teams, network defenders, academic researchers and technology platforms," Google TAG analysts wrote in a blog post detailing the hack.
It's reported that this kind of malware has the tendencies of being used in less developed countries that are less democratic. The officials of those governments may use surveillance powered by malware to maintain a repressive status quo through surveillance.
"Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future," CitizenLab concluded.
But still, due to the fact that state-sponsored cyberattacks can be sophisticated, cybersecurity and tech companies can only dissuade people from using whatever product that comes from Cytrox, NSO Group, or others similar, simply because their clients' motives are impossible to truly determine.
"We look forward to continuing our work in this space and advancing the safety and security of our users around the world," Google TAG analysts wrote.
For users, the best thing they can do, is update their phone to the newest firmware, whenever a new release is released.
This is because updates often come with security patches.
Users should also avoid downloading apps from places other than the official app store, avoid sideloading apps, open websites without HTTPS, enter email address in suspicious websites, and more.
For Android users especially, users can download extra security software from Google Play Store.
And when receiving emails, never click on the link and never download any attachment sent by an unknown sender.
Always read emails carefully, and try to verify that the sender is what the sender is claiming to be.
It's worth noting that the phone of Ayman Nour was simultaneously infected with both Cytrox’s Predator and NSO Group’s Pegasus spyware.