Security researchers at Cisco Talos and the Citizen Lab have presented a new technical analysis of the commercial Android spyware ‘Predator’ and its loader ‘Alien,’ sharing its data-theft capabilities and other operational details.
Predator is a commercial spyware for mobile platforms (iOS and Android) developed and sold by Israeli company Intellexa.
The spyware family has been linked to surveillance operations targeting journalists, high-profile European politicians, and even Meta executives.
The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices.
The Alien loader
In May 2022, Google TAG revealed five Android zero-day vulnerabilities that the Predator spyware chained to perform shellcode execution to drop Predator’s loader ‘Alien’ on a targeted device.
The Alien loader is injected into a core Android process named ‘zygote64’ and then downloads and activates additional spyware components based on a hard-coded configuration.
Alien fetches the Predator component from an external address and launches it on the device or upgrades the existing payload with a newer version if available.
After that, Alien continues to operate on the device, facilitating discreet communications between the spyware’s components by hiding them within legitimate system processes and receiving commands from Predator to execute while bypassing Android security (SELinux).
An SELinux bypass is a crucial function of the spyware, differentiating it from $150-300/month info-stealers and trojans sold on Telegram.
Cisco explains that Alien achieves that by abusing SELinux’s contexts that determine which users and what level of information is permitted on each process and object in the system, lifting existing restrictions.
Moreover, Alien listens for “ioctl” (input/output control) commands for the spyware’s internal-component communications, which SELinux does not inspect.
Finally, Alien saves stolen data and recordings on a shared memory space, then moves it to storage, eventually exfiltrating it through Predator. This process triggers no access violations and goes unnoticed by SELinux.
Predator capabilities
Predator is the spearhead module of the spyware, arriving on the device as an ELF file and setting up a Python runtime environment to facilitate the various espionage functionalities.
The amount of logging performed on the compromised device changes depending on whether the Predator implant is a development or a stable version.
The functionalities facilitated by Predator’s Python modules, and performed together with Alien, include arbitrary code execution, audio recording, certificate poisoning, application hiding, app execution prevention (after reboot), and directory enumeration.
The spyware’s loader, Alien, checks if it runs on a Samsung, Huawei, Oppo, or Xiaomi, and if there’s a match, it recursively enumerates the contents of directories that hold user data from email, messaging, social media, and browser apps.
It also enumerates the victim’s contact list and lists private files in the user’s media folders, including audio, images, and video.
The spyware also uses certificate poisoning to install custom certificates to the current user-trusted certificate authorities, allowing Predator to conduct man-in-the-middle attacks and spy on TLS-encrypted network communication.
Cisco comments that Predator is careful with this ability, not installing the certificates at the system level to avoid interference at the operational level of the device, which might tip victims that something’s wrong.
“From an attacker’s perspective, the risks outweigh the reward, since with user-level certificates, the spyware can still perform TLS decryption on any communication within the browser,” explain the researchers.
Missing pieces
Even though Cisco and Citizen Lab went deep into the spyware’s components, the researchers are still missing details about two modules, namely ‘tcore’ and ‘kmem,’ both loaded in Predator’s Python runtime environment.
“We assess with high confidence that the spyware has two additional components — tcore (main component) and kmem (privilege escalation mechanic) — but we were unable to obtain and analyze these modules,” explains Cisco’s report.
The analysts believe that tcore performs geolocation tracking, snapping images from the camera, or simulating a device power-off.
Cisco’s hypothesis for the kmem module is that it provides arbitrary read and write access into the kernel address space.
Since neither could be retrieved from infected devices, parts of Intellexa’s Predator spyware remain uncharted.