Security researchers detail the inner workings of commercial spyware Android called Predator, which is marketed by the Israeli company Intellexa (formerly Cytrox).
Predator was first reported by Google's Threat Analysis Team (TAG) in May 2022 as part of attacks that exploited five different zero-days in the Chrome browser and Android.
The software Spyware interceptor, which is delivered via another bootloader known as Alien, is equipped to record audio from phone calls and VoIP-based applications, as well as collect contacts and messages, from various applications such as Signal, WhatsApp and Telegram .
Other features allow it to hide apps and prevent apps from running when the device is restarted.
"A deep dive into both pieces of eavesdropping software suggests that Alien is not just a loader for Predator but actively configures the low-level capabilities required for Predator to spy on its victims," Cisco Talos reported. in a technical report.
Spyware like its Predator and Pegasus NSO Group carefully delivered as part of highly targeted zero-click malware attacks that typically require no interaction from victims and allow code execution and privilege escalation.
"Predator is an interesting piece of spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it highly flexible and dangerous," Talos reports.
Both Predator and Alien are designed to bypass Android's protections – a protection called Security-Enhanced Linux (SELinux) – with the latter loading into a core Android process called Zygote to download and launch other spyware.
It is currently unclear how Alien is initially activated on an infected device. However, it is suspected that it is loaded by some shellcode running early stage exploits.
"Alien is not just a loader but also an executor – its multiple threads continue to read commands coming from Predator and execute them, giving the spyware the means to bypass some of Android's security features," the company says. .
The various Python modules associated with Predator make it possible to run a wide range work such as information theft, surveillance, remote access and arbitrary code execution.
Read the entire Cisco white paper.
