The company’s recent report says that the spyware, allegedly developed by a commercial entity - a company called Cytrox, headquartered in Skopje, North Macedonia - is capable of recording audio, adding CA certificates, and hiding apps.
Cytrox is being distributed via email, with victims receiving a message carrying a one-time link mimicking a URL shortener service. Once clicked, the victim would then be redirected to a domain owned by the attacker, that would deliver simple Android spyware called ALIEN.
Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/£10.99.
ALIEN and PREDATOR
The target endpoint would then be redirected to a legitimate site, to minimize suspicion.
ALIEN, which lives inside multiple privileged processes, would then load PREDATOR, and receive further commands from the spyware over IPC, such as audio recording.
This technique, the TAG team says, was seen to be used before against journalists.
In this particular case, while specific targets are not known, the researchers have found the spyware to be used at least by government-backed actors in Egypt, Armenia, Greece, Madagascar, Ivory Coast, Serbia, Spain, and Indonesia.
The findings have once again placed commercial entities, developing “legitimate” spyware, into the limelight. Companies such as the NSO Group have been building powerful malware and selling it to governments around the world, claiming their tools assist law enforcement agencies in the fight against terrorism, and other threats to national security.
However, security firms have found these tools to be used, numerous times, against journalists, political activists, the opposition, whistleblowers, close family members of high-ranking officials, etc.
This has prompted privacy and human rights activists to demand its termination and in some countries, it worked. NSO Group, and its products, for example, have been banned in the United States.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.