Google: A Spyware Company Exploited Five Chrome, Android Zero-Days in 2021

pcmag.com:

Google says that one spyware company exploited at least five zero-day vulnerabilities—four in the Chrome browser and one in the Android operating system—throughout 2021.

The company's Threat Analysis Group (TAG) says(Opens in a new window) the spyware maker in question is a North Macedonian firm known as Cytrox. Precious little is known about Cytrox, but in December 2021, the Citizen Lab at the University of Toronto revealed(Opens in a new window) some information about its activities.

Citizen Lab said Cytrox infected two Egyptians—"exiled politician Ayman Nour and the host of a popular news program (who wishes to remain anonymous)"—with its Predator malware in June 2021. Those infections affected iPhones, but TAG says Predator targets Android phones, too.

TAG says Cytrox abused four Chrome zero-days (CVE-2021-37973(Opens in a new window), CVE-2021-37976(Opens in a new window), CVE-2021-38000(Opens in a new window), and CVE-2021-38003(Opens in a new window)) and a single Android zero-day (CVE-2021-1048(Opens in a new window)) last year in "at least three campaigns" believed to be conducted on behalf of various governments.

Cytrox is said to have taken advantage of several known security flaws, also known as "n-days" because patches have been made available for them, too. TAG says these "findings underscore the extent to which commercial surveillance vendors have proliferated capabilities historically only used by governments with the technical expertise to develop and operationalize exploits."

That isn't good news for companies that need to defend products used by hundreds of millions of people. Firms like Cytrox are making life increasingly difficult for the security teams at Google, Apple, and Microsoft—and it seems