Researchers are Sounding the Alarm on Alarming Capability

Security researchers have shared in-depth information about a commercial Android spyware called Predator, which is marketed by an Israeli company Intellexa (formerly Cytrox).

The Predator was first documented by the Google Threat Analysis Group (TAG) in May 2022 as part of an attack that exploited five different zero-day vulnerabilities in the Chrome and Android web browsers.

The spyware, which is delivered via another loader component called Alien, is equipped to record audio from phone calls and VoIP-based applications and collect contacts and messages, including those from Signal, WhatsApp, and Telegram.

Other functionalities allow it to hide apps and prevent them from starting on reboot of the handset.

“This deep dive into both spyware components shows that Alien is more than just a loader for the Predator and actively orchestrates the low-level capabilities needed by the Predator to spy on its victims,” ​​Cisco Talos said in technical reports.

Spyware such as NSO Group’s Predator and Pegasus are carefully delivered as part of highly targeted attacks by weaponizing so-called clickless exploit chains which usually require no interaction from the victim and allow code execution and privilege escalation.

“Predator is an interesting part of the mercenary spyware army that has been around since at least 2019, designed to be flexible so that new Python-based modules can be delivered without the need for repeated exploits, making it extremely versatile and dangerous,” Talos explains.

Both Predator and Alien are designed to bypass security fences on Android, with the latter being loaded into a core Android process called Zygote to download and launch other spyware modules, including Predator, from external servers.

It is currently unclear how Alien is activated on the infected device. However, it is suspected to be loaded from shell code executed by taking advantage of an early-stage exploit.

“Alien is not only a loader but also an executor – its many threads will continuously read commands coming from the Predator and execute them, providing spyware with a means to bypass some of the security features of the Android framework,” the company said.

The various Python modules associated with Predator make it possible to accomplish a wide variety of tasks such as information theft, surveillance, remote access and arbitrary code execution.

Spyware, which comes as an ELF binary before setting up the Python runtime environment, can also add certificates to the store and enumerate the contents of various directories on disk if run on devices manufactured by Samsung, Huawei, Oppo, or Xiaomi.

That said, there are still a lot of missing pieces that could help solve the attack puzzle. It consists of a main module called tcore and a privilege escalation mechanism called kmem, both of which have remained elusive so far.

Cisco Talos theorizes that the tcore could implement other features such as geolocation tracking, camera access, and simulate shutdown to covertly spy on victims.

This finding comes as the use of commercial spyware by threat actors has witnessed a surge in recent years just as the number of cyber mercenary companies supplying these services is on an increasing trajectory.

While these sophisticated tools are intended for exclusive use by governments to fight serious crimes and combat threats to national security, they have also been abused by customers to monitor dissidents, human rights activists, journalists, and other members of civil society.

For example, the Access Now digital rights group says so uncovered proof from Pegasus targeting a dozen people in Armenia – including an NGO worker, two journalists, a UN official, and a human rights ombudsman in Armenia. One of the victims was hacked at least 27 times between October 2020 and July 2021.

“This is the first documented evidence of the use of Pegasus spyware in a context of international war,” Access Now saidadding the investigation began after Apple sent a notification to the individual in question that they may have been the victim of a state-sponsored spyware attack in November 2021.

There are no conclusive links linking the use of spyware to specific government agencies in either Armenia or Azerbaijan. It should be noted that Armenia was kicked out as an Intellexa customer by Meta in December 2021 in an attack aimed at politicians and journalists in the country.

Moreover, cybersecurity firm Check Point earlier this year revealed that various Armenian entities had been infected with a Windows backdoor called OxtaRAT as part of an espionage campaign aligned with Azerbaijan’s interests.

In a more unusual turn of events, The New York Times And Washington Post reported this week that the Mexican government may be spying on itself by using Pegasus against a senior official tasked with investigating alleged military misconduct.

Mexico was also the first and most prolific user of Pegasus, despite pledging to stop the notorious spyware’s illegal use.