A shady private surveillance company sold access to nearly half a dozen powerful security flaws in Chrome and Android last year to government-affiliated hackers, Google revealed Monday.
Cytrox, a secretive firm based in North Macedonia, allegedly sold access to four zero-day security flaws in the Chrome browser as well as one in the Android operating system. Its clients were government-linked “threat actors” in multiple foreign countries who used the exploits to conduct hacking campaigns with Cytrox’s invasive spyware “Predator.” We have to hand it to Cytrox: Selling access to security flaws that require your spyware in order to exploit them is Batman-villain business savvy, the way the Joker might approach vertical integration. You can find a full list of the vulnerabilities in Google’s blog.
“We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed actors who used them in at least the three campaigns discussed below,” researchers with Google’s Threat Analysis Group (TAG) explained in a blog post.
Cytrox is also said to have given its clients access to a number of “n-days”—vulnerabilities that had already had patches issued for them. In these cases, the targeted users presumably had not updated their devices or applications.
The hackers who bought Cytrox’s services and spyware were based all over the world—Greece, Serbia, Egypt, Armenia, Spain, Indonesia, Madagascar, and Côte d’Ivoire, researchers write. Google’s TAG team also writes of a disturbing new trend: a majority of the zero-day vulnerabilities they discovered last year were intentionally “developed” by private surveillance firms like Cytrox.
“Seven of the nine 0-days TAG discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors,” the researchers write. “TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”
Hacking scandals connected to the private surveillance industry have generated significant controversy in recent years. In particular, the well-known spyware company NSO Group has been accused of selling its sophisticated digital intrusion tools to governments all over the world, including our own.