Security researchers have shared details of a commercial Android spyware called Predator marketed by an Israeli company. Interexa (formerly Cytrox).
Predator was first documented by Google’s Threat Analysis Group (TAG) in May 2022 as part of an attack leveraging five different zero-day flaws in the Chrome web browser and Android.
The spyware is delivered by a separate loader component called Alien and has the ability to record audio from phone calls and VoIP-based apps, and collect contacts and messages from Signal, WhatsApp, Telegram, and others.
Other features let you hide applications or prevent them from running when the handset restarts.
In a technical report, Cisco Talos said, “A closer look at both spyware components reveals that Alien is more than just a loader for Predator, it actively sets up the low-level functionality Predator needs to monitor its victims. It turns out that there is,” he said.
Spyware such as Predator and NSO Group’s Pegasus are deliberately delivered as part of targeted attacks by weaponizing so-called zero-click exploit chains. This chain typically allows code execution and privilege escalation without the need for any action by the victim.
“Predator is an interesting piece of mercenary spyware that has been around since at least 2019. It is designed to be flexible enough to deliver new Python-based modules without repeated exploitation, making it particularly versatile and dangerous.” explained Talos. .
Both Predator and Alien are designed to circumvent Android’s security guardrails, with the latter being loaded into a core Android process called Zygote, which downloads and launches other spyware modules, including Predator, from an external server.
It is currently unknown how Alien is activated on infected devices in the first place. However, it is suspected to be loaded from shellcode executed using early-stage exploits.
“Alien is more than just a loader, it’s also an executer. Its multiple threads read and continue to execute commands from Predator, giving spyware a way to bypass some of the Android framework’s security features.” said the company.
Various Python modules associated with Predator enable a wide range of tasks such as information theft, surveillance, remote access, and arbitrary code execution.
The spyware arrives as an ELF binary before setting up the Python runtime environment, but when running on a Samsung, Huawei, Oppo or Xiaomi device, it adds certificates to its store and extracts various files on disk. You can also enumerate the contents of various directories.
That said, there are still plenty of missing pieces to help complete the attack puzzle. It consists of a main module called tcore and a privilege escalation mechanism called kmem, both of which are currently hard to come by.
Cisco Talos theorized that tcore may have implemented other features such as location tracking, camera access, and shutdown simulations to surreptitiously monitor victims.
The findings come amid a recent surge in the use of commercial spyware by threat actors, just as the number of cyber mercenary firms offering these services is on the rise.
While these advanced tools are intended for exclusive use by governments to combat serious crimes and combat threats to national security, they are also used by dissidents, human rights activists, journalists and other citizens. It can also be abused by customers to monitor members of society.
Case in point, digital rights group Access Now has found evidence that Pegasus targeted more than a dozen people, including an Armenian NGO worker, two journalists, a UN official, and an Armenian human rights ombudsman. said. One victim was hacked at least 27 times between October 2020 and July 2021.
Zero Trust + Deception: Learn How to Outsmart Attackers!
See how Deception can detect advanced threats, stop lateral movement, and strengthen your Zero Trust strategy. Join us for an insightful webinar!
Reserve your seat!
Access Now said, “This is the first documented evidence of the use of Pegasus spyware in the context of an international war,” noting that Apple may have accused the individuals in question of being victims of state-sponsored spyware. It added that it had launched an investigation after receiving a notification that it was suspected. November 2021 attack.
There is no definitive link linking spyware use to a specific government agency in either Armenia or Azerbaijan. It is worth noting that in December 2021 Armenia was exposed as an Intellexa customer by Meta in attacks targeting politicians and journalists in the country.
Additionally, cybersecurity firm Check Point revealed earlier this year that various Armenian organizations were infected with a Windows backdoor dubbed OxtaRAT as part of an espionage campaign geared to Azerbaijan’s interests.
In a more unusual development, the New York Times and Washington Post reported this week that the Mexican government may be using Pegasus to spy on the country against senior officials investigating allegations of military abuses. rice field.
Mexico is also the first and most prolific user of Pegasus, despite promises to end its notorious illegal use of spyware.
