Security researchers detail the inner workings of commercial Android spyware called Predator, which is marketed by Israeli company Intellexa (formerly Cytrox).
Predator was first reported by Google's Threat Analysis Team (TAG) in May 2022 as part of attacks that leveraged five different zero-day in the program browsing Chrome and on Android.
The spyware, delivered via another payload known as Alien, is equipped to record audio from phone calls and VoIP-based applications, as well as collection contacts and messages, from various applications such as Signal, WhatsApp and Telegram.
Other features allow it to hide apps and prevent apps from running on restartmovement device.
"A deep dive into both pieces of eavesdropping software suggests that Alien is not just a loader for Predator but actively configures the low-level capabilities required for Predator to spy on its victims," Cisco Talos reported. in a technical report.
Spyware like its Predator and Pegasus NSO Group carefully delivered as part of highly targeted zero-click malware attacks that typically require no interaction from victims and allow code execution and privilege escalation.
"Predator is an interesting piece of spyware that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploitation, thus making it highly flexible and dangerous," Talos reports.
Both Predator and Alien are designed to bypass Android's protections – a protection called Security-Enhanced Linux (SELinux) – with the latter loading into a core Android process called Zygote to download and launch other spyware.
It is currently unclear how Alien is initially activated on an infected device. However, it is suspected that it is loaded by some shellcode running early stage exploits.
"Alien is not just a loader but also an executor – its multiple threads continue to read commands coming from Predator and execute them, giving the spyware the means to bypass some of Android's security features," the company says. .
The various Python modules associated with Predator make it possible to perform a wide range of tasks such as information theft, surveillance, remote access and arbitrary code execution.
Read the entire Cisco white paper.
