Researchers uncover details of how Predator spyware works

Research groups Cisco Talos and Citizen Lab published technical analysis commercial spyware for Android called Predators and its loader “Alien”.

Predator is a commercial spyware for mobile platforms (iOS and Android) associated with spying operations on journalists, high-ranking European politicians, and even Meta executives *.

Predator can record phone calls, collect information from messengers, or even hide apps and block them from running on infected Android devices.

Alien Loader

In May 2022 the team Google Tag revealed 5 vulnerabilities in Android which Predator used to execute the shellcode and install the Alien bootloader on the target device.

Alien injects itself into the main Android process called “zygote64” and then downloads and activates additional spyware components based on the built-in configuration. Alien gets the Predator component from an external address and runs it on the device, or updates an existing module to a newer version, if available.

After that, Alien continues to run on the device, providing covert communication between spyware components, hiding them inside legitimate system processes and receiving commands from Predator to execute, bypassing Android (SELinux) protection.

Bypassing SELinux is a key feature of spyware that sets it apart from infostealers and trojans sold on Telegram for $150-300/month.

Cisco explains that Alien bypasses security by abusing SELinux contexts, which determine which users and what level of information is allowed for each process and object in the system, removing existing restrictions.

In addition, Alien listens for “ioctl” (input/output) commands for internal communication between spyware components, which SELinux does not check. Alien also stores stolen data and records in a shared memory space, then moves them to storage, eventually uploading them through the Predator. This process does not cause access violations and remains undetected by SELinux.

Features

Predator is the main spyware module that comes to the device in the form of an ELF file and creates a runtime Python to provide various spying functions.

Predator functionality includes:

• execution of arbitrary code;
• audio recording;
• replacement of certificates;
• hiding applications;
• preventing applications from starting (after a reboot);
• listing directories.

Notably, Predator checks to see if it works on Samsung, Huawei, Oppo, or Xiaomi. If yes, the malware recursively lists the contents of directories that store user data from email applications, instant messengers, social networks, and browsers. Predator also lists the victim’s contact list and sensitive files in the user’s media folders, including audio, images, and videos.

Predator also spoofs certificates to install user certificates to users’ current trusted CAs. This allows Predator to conduct man-in-the-middle MiTM attacks and spy on TLS-encrypted network traffic.

Cisco notes that Predator uses this feature cautiously. The malware does not install certificates at the system level, as this can interfere with the operation of the device and attract the user’s attention.

Missing Parts

Despite this in-depth analysis of spyware components, researchers do not know the details of two modules – “tcore” (the main component) and “kmem” (privilege escalation mechanism). Both are loaded into the Python Predator runtime.

Analysts believe “tcore” tracks the geolocation of the target, takes pictures from the camera or simulates turning off the device. In turn, “kmem” provides random read and write access to kernel space.

Because the modules cannot be extracted from infected devices, parts of Predator spyware still remain unexplored.

Predator was developed by Cytrox, which is based in North Macedonia and sells commercial spyware and other surveillance tools. Cytrox is also behind another spyware called Hermit that has been used to hack into the smartphones of journalists and activists in India.

Predator is not the only spyware that is being used to target high-risk users. Another example is Pegasus, developed by the Israeli company NSO Group. Pegasus can also hack and track Android and iOS smartphones. Pegasus has been used to spy on journalists, human rights activists, politicians and businessmen around the world.

Apple, one of the smartphone manufacturers under attack by Predator and Pegasus, launched a new security feature called Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura. This feature blocks certain features to provide maximum protection against “targeted cyberattacks”.

* The Meta company and its products (Instagram and Facebook) are recognized as extremist, their activities are prohibited on the territory of the Russian Federation.