Researchers Reveal Predator Spyware’s Data Theft Capabilities
Cybersecurity researchers at Cisco Talos and the Citizen Lab have delved into the inner workings of the notorious Predator Android spyware, shedding light on its sophisticated surveillance capabilities.
Developed by the Israeli company Intellexa (formerly known as Cytrox), Predator records phone calls, collects information from messaging apps (including WhatsApp), and even hides certain applications and prevents their execution. It has been implicated in targeted attacks against journalists, high-profile European politicians, and executives at Meta.
The Predator spyware exploits Android zero-day vulnerabilities, as disclosed by Google TAG in May 2022. By chaining multiple vulnerabilities together, the spyware could perform shellcode execution. This allowed it to deliver Predator's loader component, aptly named 'Alien’, onto the target device.
Alien, injected into the core Android process 'zygote64,' assumes a crucial role by establishing a foundation for Predator's malicious activities. Acting as both a loader and executor, Alien downloads additional spyware components based on a predefined configuration. It conceals these components within legitimate system processes, evading detection from Android security mechanisms such as SELinux.
Cisco Talos, who extensively examined the spyware, highlighted the spearhead module Predator. They explained that the component enters the device as an ELF file and sets up a Python runtime environment to enable various espionage functionalities.
Predator's Python modules, in collaboration with Alien, offer an extensive range of intrusive functionality. Alien recursively scans directories holding user data from messaging, social media, email, and browser apps. It also meticulously lists private files residing in the user's media folders, such as audio, images, and video.
One of the most alarming features of Predator is its ability to spy on TLS-encrypted network communications and even conduct man-in-the-middle attacks. It does this by installing custom certificates to the user's trusted certificate authorities at the user level. It’s believed that certificates are installed at the user-level as opposed to the system-level as it ensures the operation of the device isn't adversely affected, which could tip off the user that something is wrong.
As the investigation into Predator continues, researchers strive to unveil its complete functionality.