A cybersecurity research firm, Cisco Talos, has reported on a commercial spyware product offered by Intellexa, formerly known as Cytrox. The spyware product, named PREDATOR, is designed to utilise deployment procedures that require little or no user interaction, making the final payload challenging to detect or defend against. The delivery method for PREDATOR is typically a chain of exploits, starting with a zero-click exploit like FORCEDENTRY, developed by the Israeli spyware company NSO Group, or with a link that the victim is tricked into clicking known as a one-click exploit.
PREDATOR is a flexible spyware tool that has been in existence since 2019 and built to accommodate new Python-based modules without recurrent exploitation, making it all the more versatile and risky. Cisco Talos notes that PREDATOR uses another spyware component, known as ALIEN, to interact and bypass more established security measures on the Android operating system.
According to Cisco Talos, “A deep dive into both spyware components indicates that Alien is more than just a loader for Predator and actively sets up the low-level capabilities needed for Predator to spy on its victims.”
Intellexa’s spyware products include various components that can be divided into three primary categories that correspond to different stages of an attack: exploitation, privilege escalation, and mitigation circumvention. The first two stages involve exploiting a remote vulnerability to gain remote code execution privileges and then circumventing mitigation to escalate privileges before completing the attack.
While both Android and iOS mobile devices can be attacked by ALIEN and PREDATOR, the two spyware components analysed by Talos were specifically designed for Android. PREDATOR is configured to use QUAILEGGS for privilege escalation or a different method called “kmem” if QUAILEGGS is unavailable.
Tcore, the component earlier associated with PREDATOR and ALIEN, can use camera access, geolocation tracking, and shutdown simulation to discreetly eavesdrop on victims. Through the Tcore Python package, ALIEN and PREDATOR can record audio from VOIP-based applications and phone calls. They can also gather data from some of the most commonly used messaging apps, such as Signal, WhatsApp, and Telegram, and can hide apps that can’t be run after a device restarts.
Talos notes that KMEM offers arbitrary read and write access to the kernel address space. Alien is not just a loader but also an executor; its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features, said the company.
If the spyware runs on a Samsung, Huawei, Oppo, or Xiaomi handset, it can also add certificates to the store and enumerate the contents of various directories on the disc. The spyware works as an ELF binary before creating a Python runtime environment, recursively enumerating the contents of disc directories if any of these manufacturers’ names match.
While most commercial spyware is designed for government use, ethical and legal concerns have been raised concerning these tools, which the cybersecurity community calls “mercenary spyware.” In response to the proliferation and growing concern regarding the misuse of these products, the Biden-Harris administration released an Executive Order on March 27, 2023, prohibiting the use by the U.S. government of commercial spyware that could endanger national security or has been exploited by foreign parties to enable human rights abuses.
In conclusion, PREDATOR underscores the significant threat that spyware poses to individuals and organizations, as it is designed to bypass established security measures and is difficult to detect or defend against. While governments may use spyware tools for legitimate security reasons, the potential for misuse and abuse is evident, and therefore, ethical and legal frameworks concerning their use is essential.