Android users around the world are being targeted by new spyware called “ALIEN”, which can load the “PREDATOR” malware or virus. The spyware was allegedly developed by a company called Cytrox in North Macedonia. Google’s Threat Analysis Group (TAG) has confirmed at least three campaigns that are active in the wild.
Google has alleged that multiple exploits which collectively fall under the Alien spyware category, were packaged by a single commercial surveillance company, Cytrox, and sold to different government-backed groups. Online security research company CitizenLab had also detected multiple attacks, and Google claims they are all connected to the Alien spyware.
Google claims the 0-day exploits relying on the Alien spyware are being used alongside some older exploits. It seems malware developers are actively seeking to take advantage of the time difference between when some critical bugs were patched but not flagged as security issues and when these patches were fully deployed across the Android ecosystem.
The virus seems to be spreading mainly through emails. Victims are receiving email messages with suspicious links. Any one of the links redirects victims to a website that installs the malware. It then proceeds to load its main payload, which is the Predator virus before opening the originally intended website. Google says:
All three [spyware] campaigns delivered one-time links mimicking URL shortener services to the targeted Android users via email. The campaigns were limited — in each case, we assess the number of targets was in the tens of users. Once clicked, the link redirected the target to an attacker-owned domain that delivered the exploits before redirecting the browser to a legitimate website.
The virus can potentially record audio, hide apps, and perform several more nefarious activities. Google claims it has sent out patches to address the vulnerabilities. However, it is important that Android users remain cautious about opening emails from unfamiliar sources. Moreover, email users should never click on links embedded in emails without first confirming the authenticity of the sender.