Predator (Intellexa) new features discovered

Security researchers detail the inner workings of commercial Android spyware called Predator, which is marketed by Israeli company Intellexa (formerly Cytrox).

Predator was first reported by Google's Threat Analysis Team (TAG) in May 2022 as part of attacks that exploited five different zero-days in the Chrome browser and Android.intellexa

The spyware, delivered via another bootloader known as Alien, is equipped to record audio from phone calls and VoIP-based applications, as well as collect contacts and messages, from various applications such as Signal, WhatsApp and Telegram.

Other features allow it to hide apps and prevent apps from running when the device is restarted.

"A deep dive into both pieces of eavesdropping software suggests that Alien is not just a loader for Predator but actively configures the low-level capabilities required for Predator to spy on its victims," ​​Cisco Talos reported. in a technical report.

Spyware like its Predator and Pegasus NSO Group carefully delivered as part of highly targeted zero-click malware attacks that typically require no interaction from victims and allow code execution and privilege escalation.

"Predator is an interesting piece of spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it highly flexible and dangerous," Talos reports.

Both Predator and Alien are designed to bypass Android's protections – a protection called Security-Enhanced Linux (SELinux) – with the latter loading into a core Android process called Zygote to download and launch other spyware.

It is currently unclear how Alien is initially activated on an infected device. However, it is suspected to be loaded by some shellcode running an exploit initial stage.

"Alien is not just a loader but also an executor – its multiple threads continue to read commands coming from Predator and execute them, giving the spyware the means to bypass some of Android's security features," the company says. .

The various Python modules associated with Predator make it possible to perform a wide range of tasks such as information theft, surveillance, remote access and arbitrary code execution.

Read the entire Cisco white paper. The Best Technology Site in Greecefgns

Subscribe to Blog by Email

Subscribe to this blog and receive notifications of new posts by email.

Predator, Intellexa

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).