Predator: Looking under the hood of Intellexa’s Android spyware

MuzzMelbourne

Level 15
Thread author
Verified
Top Poster
Well-known
Mar 13, 2022
599
Security researchers at Cisco Talos and the Citizen Lab have presented a new technical analysis of the commercial Android spyware 'Predator' and its loader 'Alien,' sharing its data-theft capabilities and other operational details.

Predator is a commercial spyware for mobile platforms (iOS and Android) developed and sold by Israeli company Intellexa.

The spyware family has been linked to surveillance operations targeting journalists, high-profile European politicians, and even Meta executives.

The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices.
 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
811
"The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices".
Okay, how did this get installed, and from the below link, I didn't see where it was a downloaded app that installed the Predator spyware or through an Android update, a download link, spyware implants...what are those?
How does, did that happen, @Trident any ideas?


Google's Threat Analysis Group (TAG) says that state-backed threat actors used five zero-day vulnerabilities to install Predator spyware developed by commercial surveillance developer Cytrox.

In these attacks, part of three campaigns that started between August and October 2021, the attackers used zero-day exploits targeting Chrome and the Android OS to install Predator spyware implants on fully up-to-date Android devices.
 
Last edited:

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,805
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

 

Jonny Quest

Level 17
Verified
Top Poster
Well-known
Mar 2, 2023
811
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

Thank you, buddy, for taking the time to hunt that down and for looking into it for me, as I really didn't catch how it was installed. But I thought the same thing, pretty impressive exploit.
 

Trident

Level 29
Verified
Top Poster
Well-known
Feb 7, 2023
1,805
Thank you, buddy, for taking the time to hunt that down and for looking into it for me, as I really didn't catch how it was installed. But I thought the same thing, pretty impressive exploit.
These spyware products are on sale for high prices, advertised as tools for “surveillance against criminals and terrorists” by organisations as NSO. It’s not their first product and it definitely won’t be the last. In the past few years, the ethics and purpose of their spyware have been questions not once or twice.


It further demonstrates that if you employ the right people and give them the right incentive, nothing is too secure.
 

Socalvisit

New Member
May 26, 2023
0
@Jonny Quest from the link it looks like links were sent by email. Once clicked, the domain/web page exploited 5 zero-day vulnerabilities (that’s quite unusual and impressive as an attack which suggests the attackers were well funded). Through the exploit the Alien loader was delivered which further downloaded necessary components for the spyware and kept them hidden within system processes.

This is a highly commercial spyware similar to the Mercenary that targeted Apple users like journalists and other people of interest.

It is a good Read!
 

vtqhtr413

Level 26
Well-known
Aug 17, 2017
1,567

On the Trail of the Predator: North Macedonia, Greece and Germany

One message, one link, one click. That's all it takes to lose control of your digital life, unwittingly and in a matter of seconds. Greek reporter Thanasis Koukakis has experienced it. The message sounded innocuous enough, like one of the many tips journalists are regularly sent. "Thanasis, have you heard about this?" When he clicked on the link in summer 2021, a small program installed itself imperceptibly on his phone. It opened the door to the spyware program Predator, a virtual beast of prey.

Suddenly, Koukakis was completely exposed, and remained so for 10 weeks. The software allowed the attackers to see where the reporter was moving, who he was talking to, who he was sending which messages to and what he was researching. Koukakis has spent years reporting on corruption, keeping a close eye on the powerful in Greece, and his work has appeared on the satellite news station CNN and in the Financial Times. Now, though, his informants were in danger of being exposed.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top