Google detects Alien spyware targeting Android users
Google’s Threat Analysis Group (TAG) has confirmed that Android users around the world are being targeted by the Alien spyware family, which is commercial spyware. Tracking shows that the malware family is an advanced malware family developed by Cytrox Technologies of the Republic of North Macedonia in the Balkans of Southeastern Europe. The company primarily sells it to certain national government agencies or groups backed by those government agencies for the purpose of hacking and spying on targeted Android users. In essence, this is no different from the Pegasus spyware launched by the Israeli commercial spyware company NSO, except that the Alien spyware is for Android.
Analysis shows that the Alien spyware family mainly exploits zero-day vulnerabilities and certain known outdated flaws, and is mainly spread by email. For example, after the email of the target user is known, a phishing email is sent to induce the user to click on the link, and the Predator virus can be automatically loaded after clicking.
The organization that launched the attack uses a short-link system. When a user clicks, the virus will be loaded for the first time, and then they will jump to the website mentioned in the phishing email to confuse the user. The three campaigns identified by Google’s threat analysis team belong to the Alien malware family, and there are currently dozens of Android users under attack. Obviously, this is also a targeted attack, and the attacker will only carry out targeted attacks after selecting the target. Google writes:
All three [spyware] campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited — in each case, we assess the number of targets was in the tens of users. Once clicked, the link redirected the target to an attacker-owned domain that delivered the exploits before redirecting the browser to a legitimate website.
Analysis revealed that the Alien malware family has features such as audio recording, hiding apps, stealing user data, and turning on microphones for monitoring. Zero-day vulnerabilities that have been discovered by Google will be fixed soon, but for most Android users, there is no way to update the system in time to fix it. In particular, many of the vulnerabilities exploited by the malware are outdated, meaning they have long been fixed by Google but the OEM has not sent an update to the user. This makes the security of the Android system very weak, because many outdated vulnerabilities have been published long ago, and virtually any attacker can exploit the vulnerabilities. Google reminded that users should not click on links in unknown emails, and users should double-check the sender to ensure that the email is safe before clicking on the link.