We rank vendors based on rigorous testing and research, but also take into account your feedback and our commercial agreements with providers. This page contains affiliate links.
Disclosure:
Professional Reviews

vpnMentor contains reviews that are written by our community reviewers. These take into consideration the reviewers’ independent and professional examination of the products/services.

Ownership

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Affiliate Commissions Advertising

vpnMentor contains reviews that follow the strict reviewing standards, including ethical standards, that we have adopted. Such standards require that each review will take into consideration the independent, honest and professional examination of the reviewer. That being said, we may earn a commission when a user completes an action using our links, at no additional cost to them. On listicle pages, we rank vendors based on a system that prioritizes the reviewer’s examination of each service, but also considers feedback received from our readers and our commercial agreements with providers.

Reviews Guidelines

The reviews published on vpnMentor are written by community reviewers that examine the products according to our strict reviewing standards. Such standards ensure that each review prioritizes the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may also take into consideration the affiliate commissions we earn for purchases through links on our website.

Researchers Reveal Predator Spyware’s Data Theft Capabilities

Researchers Reveal Predator Spyware’s Data Theft Capabilities
Author Image Zane Kennedy
Zane Kennedy Published on 29th May 2023 Cybersecurity Researcher

Cybersecurity researchers at Cisco Talos and the Citizen Lab have delved into the inner workings of the notorious Predator Android spyware, shedding light on its sophisticated surveillance capabilities.

Developed by the Israeli company Intellexa (formerly known as Cytrox), Predator records phone calls, collects information from messaging apps (including WhatsApp), and even hides certain applications and prevents their execution. It has been implicated in targeted attacks against journalists, high-profile European politicians, and executives at Meta.

The Predator spyware exploits Android zero-day vulnerabilities, as disclosed by Google TAG in May 2022. By chaining multiple vulnerabilities together, the spyware could perform shellcode execution. This allowed it to deliver Predator's loader component, aptly named 'Alien’, onto the target device.

Alien, injected into the core Android process 'zygote64,' assumes a crucial role by establishing a foundation for Predator's malicious activities. Acting as both a loader and executor, Alien downloads additional spyware components based on a predefined configuration. It conceals these components within legitimate system processes, evading detection from Android security mechanisms such as SELinux.

Cisco Talos, who extensively examined the spyware, highlighted the spearhead module Predator. They explained that the component enters the device as an ELF file and sets up a Python runtime environment to enable various espionage functionalities.

Predator's Python modules, in collaboration with Alien, offer an extensive range of intrusive functionality. Alien recursively scans directories holding user data from messaging, social media, email, and browser apps. It also meticulously lists private files residing in the user's media folders, such as audio, images, and video.

One of the most alarming features of Predator is its ability to spy on TLS-encrypted network communications and even conduct man-in-the-middle attacks. It does this by installing custom certificates to the user's trusted certificate authorities at the user level. It’s believed that certificates are installed at the user-level as opposed to the system-level as it ensures the operation of the device isn't adversely affected, which could tip off the user that something is wrong.

As the investigation into Predator continues, researchers strive to unveil its complete functionality.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.