A commercial spyware product offered by the spyware company Intellexa (formerly Cytrox) has been described by Cisco Talos.
By designing deployment procedures that frequently call for little to no user engagement, spyware vendors go to significant efforts to make the final payloads challenging to identify, obtain, analyze, and defend against.
The delivery method is typically a chain of exploits that can begin with a zero-click exploit, like FORCEDENTRY, which is produced by the Israeli spyware company NSO Group, or with a link that the victim is tricked into clicking (i.e., a “one-click” exploit) like the one developed by the surveillance company Cytrox to deploy their spyware known as “PREDATOR.”
PREDATOR is an intriguing mercenary spyware that has existed since at least 2019.
It was created to be flexible so that new Python-based modules could be given without recurrent exploitation, making it very versatile and risky.
It has been determined that it utilizes to interact with the other spyware component that was deployed alongside it and is known as “ALIEN.”
The two parts enable the Android operating system to get around more established security measures.
“A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims,” Cisco Talos said.
Spyware Attack Stages
Like the majority of spyware tools that have lately come to light, Intellexa’s spyware products have a variety of parts that may be categorized into three main categories that correspond to the attack’s various stages:
In exploit chains, the first two, exploitation and privilege escalation, start by taking advantage of a remote vulnerability to gain remote code execution (RCE) privileges, then move on to mitigation circumvention and privilege escalation—since the vulnerable processes are frequently less privileged—to complete the attack.
“While ALIEN and PREDATOR can be used against Android and iOS mobile devices, the samples we analyzed were specifically designed for Android,” Talos explained
“For privilege escalation, the spyware is configured to use a method called QUAILEGGS, or, if QUAILEGGS is not present, it will use a different method called “kmem.” The samples we analyzed were running QUAILEGGS.”
Cisco Talos proposed that Tcore could have used additional features, including camera access, geolocation tracking, and shutdown simulation, to eavesdrop on victims discreetly.
It is determined that the essential spyware functionality is included in the Tcore Python package. The native code of ALIEN and PREDATOR was analyzed, and the results show that the spyware can record audio from VOIP-based applications and phone calls.
Additionally, it can gather data from some of the most widely used programs, including Signal, WhatsApp, and Telegram. Due to peripheral functionality, applications can be hidden and can’t be run when a device reboots.
According to the assessment, KMEM offers arbitrary read and write access to the kernel address space.
“Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features,” the company said.
When combined, these components offer a range of information stealing, surveillance, and remote access capabilities.
Talos does not have access to every aspect of the spyware. Therefore, this list of capabilities is not meant to be comprehensive.
If the spyware runs on a Samsung, Huawei, Oppo, or Xiaomi handset, it can also add certificates to the store and enumerate the contents of various directories on the disc.
The spyware comes as an ELF binary before creating a Python runtime environment.
It will recursively enumerate the contents of the following disc directories if any of these manufacturers’ names match:
Final Thoughts
Most commercial spyware is made for government use, and companies like NSO Group promote its products as being part of technology that aids in terrorist prevention, criminal investigation, and national security enhancement.
However, in recent years, ethical and legal concerns have surfaced around these spying devices, which the security community has referred to as “mercenary spyware.”
The Biden-Harris administration issued an Executive Order on March 27, 2023, which forbids the use by the U.S. government of commercial spyware that could endanger national security or has been exploited by foreign parties to enable human rights abuses in response to the rapid proliferation and growing concern regarding the misuse of these products.
Shut Down Phishing Attacks with Device Posture Security – Download Free E-Book