Predator: Looking under the hood of Intellexa’s Android spyware

MuzzMelbourne

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Content source
https://www.bleepingcomputer.com/news/security/predator-looking-under-the-hood-of-intellexas-android-spyware/
Security researchers at Cisco Talos and the Citizen Lab have presented a new technical analysis of the commercial Android spyware 'Predator' and its loader 'Alien,' sharing its data-theft capabilities and other operational details.

Predator is a commercial spyware for mobile platforms (iOS and Android) developed and sold by Israeli company Intellexa.

The spyware family has been linked to surveillance operations targeting journalists, high-profile European politicians, and even Meta executives.

The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices.
Click to expand...
www.bleepingcomputer.com

Predator: Looking under the hood of Intellexa’s Android spyware

Security researchers at Cisco Talos and the Citizen Lab have presented a new technical analysis of the commercial Android spyware 'Predator' and its loader 'Alien,' sharing its data-theft capabilities and other operational details.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • +Reputation
  • Like
Reactions: vtqhtr413, Trident, [correlate] and 1 other person
Jonny Quest

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,107
"The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices".
Okay, how did this get installed, and from the below link, I didn't see where it was a downloaded app that installed the Predator spyware or through an Android update, a download link, spyware implants...what are those?
How does, did that happen, @Trident any ideas?

www.bleepingcomputer.com

Google: Predator spyware infected Android devices using zero-days

Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox.
www.bleepingcomputer.com www.bleepingcomputer.com

Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox.

In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices.
 
Last edited:
  • Like
Reactions: vtqhtr413, Zero Knowledge, MuzzMelbourne and 2 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

blog.talosintelligence.com

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • +Reputation
  • Thanks
Reactions: vtqhtr413, Zero Knowledge, [correlate] and 2 others
Jonny Quest

Jonny Quest

Level 22
Verified
Top Poster
Well-known
Mar 2, 2023
1,107
Trident said:
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

blog.talosintelligence.com

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
blog.talosintelligence.com blog.talosintelligence.com
Click to expand...
Thank you, buddy, for taking the time to hunt that down and for looking into it for me, as I really didn't catch how it was installed. But I thought the same thing, pretty impressive exploit.
 
  • Like
  • Hundred Points
Reactions: vtqhtr413, Zero Knowledge, [correlate] and 2 others
Trident

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,349
Jonny Quest said:
Thank you, buddy, for taking the time to hunt that down and for looking into it for me, as I really didn't catch how it was installed. But I thought the same thing, pretty impressive exploit.
Click to expand...
These spyware products are on sale for high prices, advertised as tools for “surveillance against criminals and terrorists” by organisations as NSO. It’s not their first product and it definitely won’t be the last. In the past few years, the ethics and purpose of their spyware have been questions not once or twice.
www.reuters.com

Britain sounds alarm on spyware, mercenary hacking market

British officials are sounding the alarm over the widespread abuse of surveillance software and hackers-for-hire, saying that thousands of people were being targeted each year by an industry they described as posing an increasingly unpredictable threat.
www.reuters.com www.reuters.com

www.computerworld.com

NSO Group returns with triple iOS 15/16 zero-click spyware attack

The NSO Group hasn’t gone away; the privatized spying service was active in 2022 with zero-click exploits against iOS 15 and iOS 16, according to Citizen Lab.
www.computerworld.com www.computerworld.com

It further demonstrates that if you employ the right people and give them the right incentive, nothing is too secure.
 
  • Applause
  • Hundred Points
  • Like
Reactions: vtqhtr413, Zero Knowledge, [correlate] and 2 others
S

Socalvisit

New Member
May 26, 2023
0
Trident said:
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

blog.talosintelligence.com

Mercenary mayhem: A technical analysis of Intellexa's PREDATOR spyware

Commercial spyware use is on the rise, with actors leveraging these sophisticated tools to conduct surveillance operations against a growing number of targets. Cisco Talos has new details of a commercial spyware product sold by the spyware firm Intellexa (formerly known as Cytrox).
blog.talosintelligence.com blog.talosintelligence.com
Click to expand...
It is a good Read!
 
  • Like
Reactions: vtqhtr413, Trident and Jonny Quest
vtqhtr413

vtqhtr413

Level 27
Well-known
Aug 17, 2017
1,609

On the Trail of the Predator: North Macedonia, Greece and Germany

One message, one link, one click. That's all it takes to lose control of your digital life, unwittingly and in a matter of seconds. Greek reporter Thanasis Koukakis has experienced it. The message sounded innocuous enough, like one of the many tips journalists are regularly sent. "Thanasis, have you heard about this?" When he clicked on the link in summer 2021, a small program installed itself imperceptibly on his phone. It opened the door to the spyware program Predator, a virtual beast of prey.

Suddenly, Koukakis was completely exposed, and remained so for 10 weeks. The software allowed the attackers to see where the reporter was moving, who he was talking to, who he was sending which messages to and what he was researching. Koukakis has spent years reporting on corruption, keeping a close eye on the powerful in Greece, and his work has appeared on the satellite news station CNN and in the Financial Times. Now, though, his informants were in danger of being exposed.
Click to expand...
www.spiegel.de

The Predator Files: European Spyware Consortium Supplied Despots and Dictators

The Intellexa Alliance is the name of the shady group of European companies that supplies dictators and despots with cyberweapons. The mass spyware attacks have also been lucrative for some in Germany.
www.spiegel.de www.spiegel.de
 
  • +Reputation
Reactions: ForgottenSeer 100397, Jonny Quest and Gandalf_The_Grey
You must log in or register to reply here.

Similar threads

K
    • Like
    • Thanks
    • HaHa
Security News Poland launches Pegasus spyware probe
Replies
3
Views
3,720
Security News
TairikuOkami
TairikuOkami
enaph
    • Wow
    • +Reputation
    • Like
Stop the proposal on mass surveillance of the EU
Replies
11
Views
1,334
News Archive
Orchid
Orchid
CyberTech
    • Wow
    • Sad
    • +Reputation
NSO Android and iPhone spyware is linked to assaults and murder of dissidents – Amnesty
Replies
0
Views
1,058
News Archive
CyberTech
CyberTech

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top