Vulnerabilities in Google Chrome and Android would have been sold by the company that identified them or even created them to hackers believed to be close to eight governments. He states it Google in a post on his blog where he updates the community about TAG the Threat Analysis Group “who is constantly looking for zero days vulnerabilities”so called because the bad guys discover them before the companies that should fix them, so they don’t leave even a day to fix it – zero days precisely.
In this story the conditional is preferable because it is Google itself that admits between the lines that it does not have unshakable certainties, only – evidently – suspicions more than founded enough to allow it to publicly make names and surnames. The protagonist in question would be Cytrox, a Macedonian company that allegedly sold four Google Chrome vulnerabilities and one of Android to malicious people with important, at times disturbing, links.
To be part of the “package” too Cytrox’s Predator spyware which would have been the means to enter through the leaks and steal everything inside the virtual luggage of the unfortunates.
We can say with great confidence that the exploits in question (identification codes in the post, link in SOURCE, ed) are attributable to a single company, Cytrox, and have been sold to different actors supported by the relevant governments who have used them in at least three operations – explains the Google TAG team.
Cytrox is also thought to have made it available to his own “important” customers access to some vulnerability n-days, for which patches were already available at the time of sale, but which were useful for targeting those users who had not installed them. Customers who would have purchased the Predator vulnerability and spyware package, according to the TAG, would be in some way tied to administrations of:
- Spain
- Greece
- Serbia
- Egypt
- Armenia
- Indonesia
- Ivory Coast
- Madagascar
Google, through its team of “bounty hunters”, is very clear in its perimeter of the story:
Seven of the nine zero-day vulnerabilities discovered in 2021 are developed by commercial providers and then sold and used by government-backed actors.
Cytrox is not a new new. It was done at the end of last year by Meta regarding the tens of thousands of social media users who had been spied on by surveillance companies. And even the involvement of governments is new when it comes to spyware and citizen control: many will remember the NSO Group’s Pegasus scandal, which was called “political” spyware because it was unleashed to keep an eye on the press, activists and dissidents.
