A shady private watchdog company sold access to nearly half a dozen powerful security flaws in Chrome and Android last year to government-affiliated hackers, Google revealed Monday.
Cytroxa secret company based in North Macedonia, allegedly sold access to four zero-day security flaws in the Chrome browser, as well as one in the Android operating system. Their clients were government-linked “threat actors” in various foreign countries who used the exploits to conduct hacking campaigns with Cytrox’s invasive “Predator” spyware. Cytrox sells access to security flaws that require their spyware to exploit. You can find a complete list of vulnerabilities in the Blog of Google.
“We assess with high confidence that these exploits were packaged by a single commercial surveillance company, Cytrox, and sold to multiple government-backed actors who used them in at least the three campaigns discussed below,” Threat Analysis researchers explained. Group (TAG) of Google in a blog post.
Cytrox is also said to have given its customers access to a number of “n days”, vulnerabilities that already had patches issued for them. In these cases, presumably the targeted users had not updated their devices or apps.
The hackers who bought Cytrox’s services and spyware were located all over the world: Greece, Serbia, Egypt, Armenia, Spain, Indonesia, Madagascar and the Ivory Coast, the researchers write. Google’s TAG team also writes about a disturbing new trend: Most of the zero-day vulnerabilities they discovered last year were intentionally “developed” by private surveillance companies like Cytrox.
“Seven of the nine TAGs discovered in 2021 fall into this category: developed by commercial vendors and sold and used by government-backed actors,” the researchers write. “TAG is actively tracking more than 30 vendors with varying levels of sophistication and public exposure that are selling exploits or surveillance capabilities to government-backed actors.”
Hacking scandals related to the private surveillance industry have generated a great deal of controversy in recent years. In particular, the well-known spyware company NSO Group has been accused of selling its sophisticated digital intrusion tools to governments around the world, including USA.