Security researchers from Cisco Talos and Citizen Lab have provided a new technical analysis of commercial Android spyware ‘Predator’ and its loader ‘Alien’, detailing their data-stealing abilities and other operational details.
Predator is commercial spyware for mobile platforms (iOS and Android) developed and distributed by the Israeli company Intellexa.
The spyware family has been linked to surveillance operations targeting journalists, high-ranking European politicians and even meta-executives.
The spyware can record phone conversations, collect information from messaging apps or even hide applications and prevent them from running on infected Android devices.
The alien loader
In May 2022, Google TAG revealed five Android zero-day vulnerabilities that chained the Predator spyware to perform shellcode execution to drop Predator’s “Alien” loader on a target device.
Alien Loader injects into a core Android process called zygote64 and then downloads and activates additional spyware components based on a hard-coded configuration.
Alien retrieves the Predator component from an external address and launches it on the device or updates the existing payload with a newer version if available.
Hardcoded Predator Download URL in Alien (Cisco)
Alien then continues to operate on the device, facilitating discreet communication between spyware components by hiding them in legitimate system processes and receiving commands from Predator to execute while bypassing Android (SELinux) security.
Spyware’s Code Injection Feature (Cisco)
A SELinux bypass is a key feature of the spyware, distinguishing it from information stealers and $150-$300 per month Trojans sold through Telegram.
Cisco explains that Alien achieves this by abusing SELinux’s contexts, which determine what users and information level are allowed for each process and object in the system, thereby breaking existing restrictions.
In addition, Alien listens for ioctl (input/output control) commands for the spyware’s internal component communication, which SELinux does not check.
Finally, Alien stores stolen data and recordings on a shared storage space, then moves them to storage and finally exfiltrates them through Predator. This operation does not trigger access violations and is unnoticed by SELinux.
Aliens execution flow (Cisco) Predator functions
Predator is the spyware’s spearhead module, which arrives on the device as an ELF file and sets up a Python runtime environment to enable the various spying features.
The amount of logging performed on the compromised device depends on whether the Predator implant is a development version or a stable version.
Predator initialization (Cisco)
Features enabled by Predator’s Python modules and running alongside Alien include arbitrary code execution, audio recording, certificate poisoning, application hiding, app execution prevention (after reboot), and directory enumeration.
Block app execution after restart (Cisco)
The spyware’s loader, Alien, checks whether it’s running on a Samsung, Huawei, Oppo, or Xiaomi and, if it matches, recursively enumerates the contents of directories containing user data from email, messaging, social media, and browser apps .
Also, it enumerates victim’s contact list and lists private files in user’s media folders including audio, images and videos.
Directories enumerated by Predator spyware (Cisco).
The spyware also uses Certificate Poisoning to install custom certificates with the current user-trusted Certificate Authorities, allowing Predator to perform man-in-the-middle attacks and spy on TLS-encrypted network communications.
Adding a malicious certificate on the device (Cisco)
Cisco notes that Predator is careful with this capability and does not install the certificates at the system level to avoid disrupting the operational level of the device that could alert victims that something is wrong.
“From an attacker’s perspective, the risks outweigh the benefits, since the spyware with user-level certificates can still perform TLS decryption on any in-browser communication,” the researchers explain.
Missing parts
Although Cisco and Citizen Lab have dug deep into the spyware’s components, researchers are still missing details on two modules, namely tcore and kmem, both of which are loaded in Predator’s Python runtime.
“We believe with a high degree of certainty that the spyware has two additional components – tcore (main component) and kmem (privilege escalation mechanism) – but we were unable to obtain and analyze these modules,” explains Cisco’s report.
Analysts believe tcore is doing geolocation tracking, capturing images from the camera, or simulating a device being turned off.
Cisco’s hypothesis for the kmem module is that it allows for arbitrary read and write access to the kernel address space.
Since neither could be retrieved from infected devices, parts of Intellexa’s Predator spyware remain undetected.
