Researchers with Cisco Talos Intelligence Group have been able to peer into the inner workings of the mercenary surveillance spyware Predator, and it appears there’s something out there waiting for us, and it ain’t no man. It’s malware—and it’s very versatile.
Predator is a product of Cytrox, reportedly a partner in a joint spyware venture called Intellexa, which was formed by various vendors to compete with the notorious NSO Group. Like NSO’s Pegasus, it has nefarious capabilities, ranging from recording calls and secretly activating a device’s mic to snatching data from encrypted messaging apps and arbitrary code execution.
In May 2022, Google researchers found that both Predator and Alien, another malware component of the attack chain, relied on five separate zero-day exploits in Chrome and Android to spread, and were involved in at least three separate spyware campaigns. In their report, Talos researchers wrote that their analysis of malware samples had provided “proof that Alien is much more than just a loader for Predator as previously thought to be,” with Alien instead gaining access to “the low-level capabilities needed for Predator to spy on its victims.”
The two components specifically work in tandem to bypass SELinux, the security architecture that protects socket access in Android. According to the Talos report, Alien is smuggled into memory space normally used for zygote64, Android’s 64-bit initialization process, and gains various high-level privileges as a result. It then downloads or updates Predator, hiding communications between spyware components within legitimate system processes and receiving Predator’s commands, all outside SELinux’s notice.
The attackers “needed the second component, which is Predator…to actually contact Alien to perform certain features or certain tasks,” Vitor Ventura, lead security researcher at Talos, told IT Brew. “So that this one would have the capability that the other one cannot.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Because Alien and Predator are modular, Talos threat researcher Asheer Malhotra told IT Brew the result is “an incredibly versatile piece of malware.”
“Predator has the ability to get more modules and plugins from a command and control server and execute whatever the attackers decide to push to an infected device,” Malhotra said. “There are certain inbuilt capabilities as well, like audio recording, and stuff like that. But then it also has the capability to extend and perform more malicious functions on an infected device based on what the CNC or the command and control server directs it to do.”
Talos researchers wrote in the report that they could not examine two of Predator’s components—tcore and kmem—but wrote that they appear to provide core spyware functionality and arbitrary read and write access into the kernel memory space, respectively. They also were not able to analyze its iOS equivalent.
The sophisticated exploits used by mercenary spyware like Predator and Alien are closely guarded secrets of spyware vendors, Ventura told IT Brew, and have limited use outside of intelligence operations. For example, while ransomware gangs might have the financial resources to purchase such high-tech tools, the resulting exposure to security researchers could quickly rob them of their value.
“They’re doing so well without spending that money. Why would they even think about using that?” Ventura said. “If it gets out there, the bug will be patched, everything will kind of lose its value.”