‘Predator’ — Nasty Android Spyware Revealed

Great White SharkIntellexa’s ‘mercenary spyware’ chains five unpatched bugs.

Malware used by nation-states to target journalists, activists and opposition pols has been deconstructed by researchers. Its fast, silent attack is truly frightening.

Predator runs on iOS and Android.  In today’s SB Blogwatch, we unpick the ’droid version.

AWS Builder Community Hub

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Getaway.

‘Alien’ Technology

What’s the craic? Bill Toulas reports—“Looking under the hood”:

Spy on TLS-encrypted network communication
Predator is a commercial spyware for mobile platforms (iOS and Android) developed and sold by Israeli company Intellexa. … The spyware can record phone calls, collect information from messaging apps, or even hide applications and prevent their execution on infected Android devices.

The Alien [helper] is injected into a core Android process named ‘zygote64’ and then downloads and activates additional spyware components [including] the Predator component. … After that, Alien continues to operate on the device, facilitating discreet communications between the spyware’s components by hiding them within legitimate system processes and receiving commands from Predator to execute while bypassing Android security (SELinux).

The functionalities facilitated by Predator [and] Alien, include arbitrary code execution, audio recording … application hiding, app execution prevention (after reboot), and directory enumeration. … The spyware also uses certificate poisoning … allowing Predator to conduct man-in-the-middle attacks and spy on TLS-encrypted network communication. … It also enumerates the victim’s contact list and lists private files in the user’s media folders, including audio, images, and video.

Israeli? I thought it was Eastern European. Pierluigi Paganini clarifies some history—“Powerful Android spyware”:

Zero-day vulnerabilities
Predator [was] developed by the North Macedonian firm Cytrox. … Currently, the Predator spyware is developed and sold by Israeli company Intellexa, it can target both iOS and Android devices.

In December 2021 a report published by CitizenLab researchers detailed the use of the Predator Spyware against exiled politician Ayman Nour and the host of a popular news program. … In May 2022, Google’s Threat Analysis Group (TAG) researchers discovered three campaigns, between August and October 2021, targeting Android users with five zero-day vulnerabilities.

And Dan Goodin goes further in—“Inner workings revealed”:

Five vulnerabilities
Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, “a marketing label for a range of mercenary surveillance vendors that … include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai. … Predator is sold to a wide array of government actors from countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Alien [exploits] five vulnerabilities: CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 [and] CVE-2021-1048. … Alien and Predator work hand in hand to bypass restrictions in the Android security model. … One method for doing this is loading Alien into memory space reserved for Zygote64, the method Android uses to start apps.

It’s complicated. As KiriNotes notes:

It’s a little unclear who even steers the ship at Intellexa. WiSpear was apparently headquartered in Cyprus, Cytrox was in North Macedonia, Senpai Technologies was apparently an Israeli startup, and Nexa is a French company that was formerly known as Amesys. … The whole shebang appears to be helmed by Tal Dilian, an Israeli entrepreneur who allegedly headed up IDF Intelligence’s Unit 81 for several years. Sheesh.

Cue: The usual outpouring of uninformed anti-Israel rhetoric. localplume explains why that’s misjudged:

Because they’re extrapolating from “a few spyware companies come from Israel” -> “every single Israeli hates freedom of press, journalists and human rights.” It’s a pretty bad faith argument and borderline racist.

Anyway Israel isn’t the only one selling spyware software. There are a metric ton of sellers, operators, and people just selling zero-days to any bidder.

The answer … is that Israel is a dense, highly educated country with a lot of expertise in computer security and other technology areas. [It] is a difficult and exciting area of work, and the pipeline from gaining these skills in the military and translating it to private industry is very real. it has nothing to do with freedom of the press, journalists, or human rights.

Horse’s mouth? Team Talos explains why it matters where it comes from—“Mercenary mayhem”:

Human rights abuses
In recent years, ethical and legal questions have swirled around the use of these surveillance tools, which have become known in the security community as “mercenary spyware.” As a response to the rapid proliferation and growing concern over the misuse of these products, on March 27, 2023, the Biden-Harris administration signed an Executive Order prohibiting the U.S. government from using commercial spyware that poses national security risks or has been misused by foreign actors to enable human rights abuses.

When used together, these components provide a variety of information stealing, surveillance and remote-access capabilities. … This capability list should not be considered exhaustive. We believe that capabilities like geolocation tracking, camera access or the ability to make it appear as if the phone is powering off may [also] have been implemented.

It has full control over a smartphone. What could possibly go wrong? Pascal Monett paints a picture:

And to think that some people are actively trying to get us to transform said device into our universal passkey. Ain’t that reassuring?

So what’s the real lesson here? dngray teaches the real lesson, here:

The real lesson here is to not have unsupported devices in your possession. … The Pixels have a 5Y support period that includes the underlying firmware.

This malware uses 5 exploits which were from 2021. … This article is misleading, they’re not “zero days” when they were discovered 2 years ago.

Meanwhile, blitzd snickers:

Suckers. I’m never giving up my Palm Treo.

And Finally:


Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbbw[email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: David Clode (via Unsplash; leveled and cropped)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 492 posts and counting.See all posts by richi