Image: Rami Al-zayat (unsplash)
In an in-depth study into the commercial Android spyware dubbed Predator, security researchers reveal its sophistication. This technology is a product of the Israeli corporation, Intellexa (formerly known as Cytrox).
Predator came to public attention through Google’s Threat Analysis Group (TAG) in May 2022. It was linked to assaults exploiting five distinctive zero-day vulnerabilities in the Chrome web browser and Android.
Predator, loaded through an additional component referred to as Alien, is capable of intercepting audio from telephonic and VoIP-based application conversations. It can also extract contacts and messages, inclusive of those from Signal, WhatsApp, and Telegram. Moreover, it possesses the ability to camouflage applications and deter their execution when the smartphone reboots.
According to a technical report from Cisco Talos, an exhaustive analysis of both spyware modules infers that Alien contributes beyond merely loading Predator. It actively establishes the base-level functionalities required for Predator to conduct surveillance on its victims.
Spyware technologies, such as Predator and NSO Group’s Pegasus, are meticulously incorporated into highly-targeted offensives. These leverage so-called zero-click exploit chains, typically necessitating no victim interaction, permitting code implementation and privilege amplification.
Cisco Talos elaborated that Predator is a distinctive piece of mercenary spyware in existence since at least 2019. It’s created to be adaptable, enabling the delivery of new Python-based modules without repeated exploitation, making it notably versatile and threatening.
Predator and Alien are ingeniously engineered to evade Android’s security mechanisms. Alien is incorporated into a fundamental Android process named Zygote, enabling the downloading and triggering of other spyware modules, including Predator, from an external server.
The initial activation of Alien on a compromised device remains ambiguous. It is conjectured to be activated via shellcode executed by leveraging initial-stage exploits.
Apart from loading, Alien functions as an executor too, with its multiple threads continually interpreting and implementing commands from Predator. This provides the spyware with the capability to circumvent some Android framework security features.
Predator, linked with various Python modules, enables accomplishing a diverse array of tasks, such as information theft, surveillance, remote access, and arbitrary code execution. Upon arriving as an ELF binary, the spyware sets up a Python runtime environment. If operating on a device from Samsung, Huawei, Oppo, or Xiaomi, it can additionally add certificates to the store and enumerate the contents of different disk directories.
However, certain missing elements that could facilitate understanding the complete attack mechanism include a primary module referred to as tcore and a privilege amplification mechanism named kmem, both of which remain unattainable at this point.
Cisco Talos hypothesized that tcore might enable other features such as geolocation tracking, camera access, and simulating shutdown to secretly surveil victims.
These revelations emerge as the utilization of commercial spyware by threat actors has experienced a significant increase in recent years, paralleling the rise in cyber mercenary companies providing these services.
These advanced tools, intended solely for use by governments to tackle serious crimes and combat national security threats, have been misused to spy on dissidents, human rights activists, journalists, and other civil society members.
To illustrate, Access Now, a digital rights organization, claimed to have found evidence of Pegasus being used to target a dozen individuals in Armenia, encompassing an NGO employee, two journalists, a United Nations official, and a human rights ombudsman in Armenia. One victim was reportedly hacked 27 times between October 2020 and July 2021. They stated that this marked the first documented evidence of Pegasus spyware being used in an international war context, beginning their investigation after Apple notified potential victims of state-sponsored spyware attacks in November 2021.
No definitive connections have been made linking spyware usage to a particular government agency in either Armenia or Azerbaijan. Of note is the fact that Armenia was disclosed as a client of Intellexa by Meta in December 2021 in relation to attacks targeting the nation’s politicians and journalists.
Additionally, Check Point, a cybersecurity firm, earlier reported that several Armenian entities were infected with a Windows backdoor called OxtaRAT, aligning with Azerbaijani interests, as part of an espionage campaign.
In an unexpected development, both The New York Times and The Washington Post reported recently that the Mexican government might be spying on its own members using Pegasus against a high-ranking official investigating alleged military abuses.
Despite pledging to halt the unlawful use of Pegasus, Mexico was identified as the inaugural and most extensive user of this notorious spyware.