A shady private company sold access to nearly half a dozen powerful security flaws in Chrome and Android last year to government-affiliated hackers.
Cytrox, a secretive firm based in North Macedonia, is accused of selling access to four zero-day security flaws in the Chrome browser as well as one in the Android operating system. Government-linked threat actors in multiple foreign countries used the exploits to conduct hacking campaigns with Cytrox. There is a full list of vulnerabilities in the website.
The exploits were packaged by a single commercial company, Cytrox, and sold to different government-backed actors who used them in at least three campaigns.
Cytrox gave its clients access tovulnerabilities that had already been issued for them. In these cases, the users probably didn't update their devices or applications.
The hackers who bought Cytrox's services were based all over the world. A majority of the zero-day vulnerabilities they discovered last year were developed by private firms like Cytrox.
Seven of the nine 0-days TAG discovered in 2021 were developed by commercial providers and sold to and used by government-backed actors.
There have been hacking scandals in the past that have generated controversy. NSO Group has been accused of selling digital intrusion tools to governments all over the world.