Researchers uncover details of how Predator spyware works
Explore Predator, a commercial Android spyware, and Alien, its downloader. Learn about their capabilities, security bypass methods, and the evolving landscape of mobile surveillance.
The Cisco Talos and Citizen Lab research teams have published a technical analysis of a commercial Android spyware called "Predator" and its downloader, "Alien." Predator is a commercial spyware for mobile platforms (iOS and Android) associated with spying operations on journalists, high-ranking European politicians, and even Meta executives. Predator can record phone calls, collect information from messengers, and even hide apps and block them from running on infected Android devices.
Alien Loader
In May 2022, the Google TAG team exposed five vulnerabilities in Android that Predator used to execute shellcode and install the Alien bootloader on the target device. Alien injects itself into the main Android process called "zygote64" and then downloads and activates additional spyware components based on the built-in configuration. Alien retrieves the Predator component from an external address and runs it on the device or updates an existing module to a newer version, if available. After that, Alien continues to run on the device, providing covert communication between spyware components, hiding them inside legitimate system processes, and receiving commands from Predator to execute, bypassing Android (SELinux) protection. Bypassing SELinux is a key feature of spyware that sets it apart from infostealers and trojans sold on Telegram for $150-300 per month. Cisco explains that Alien bypasses security by abusing SELinux contexts, which determine which users and what level of information are allowed for each process and object in the system, thereby removing existing restrictions. In addition, Alien listens for "ioctl" (input/output) commands for internal communication between spyware components, which SELinux does not check. Alien also stores stolen data and records in a shared memory space, then moves them to storage, eventually uploading them through the Predator. This process does not cause access violations and remains undetected by SELinux.
Features
Predator is a core spyware module that arrives on the device as an ELF file and creates a Python runtime environment to provide various spying functions.
Predator's functionality includes:
- Execution of arbitrary code
- Audio recording
- Replacement of certificates
- Hiding applications
- Preventing applications from starting (after a reboot)
- Listing directories
Notably, Predator checks if it works on Samsung, Huawei, Oppo, or Xiaomi. If it does, the malware recursively lists the contents of directories that store user data from email applications, instant messengers, social networks, and browsers. Predator also lists the victim's contact list and sensitive files in the user's media folders, including audio, images, and videos. Predator also spoofs certificates to install user certificates to users' current trusted CAs. This allows Predator to conduct man-in-the-middle (MiTM) attacks and spy on TLS-encrypted network traffic. Cisco notes that Predator uses this feature cautiously. The malware does not install certificates at the system level, as it can interfere with the device's operation and attract the user's attention.
Missing Parts
Despite this in-depth analysis of spyware components, researchers do not know the details of two modules: "tcore" (the main component) and "kmem" (privilege escalation mechanism). Both are loaded into the Python Predator runtime. Analysts believe "tcore" tracks the geolocation of the target, takes pictures from the camera, or simulates turning off the device. In turn, "kmem" provides random read and write access to kernel space. Since the modules cannot be extracted from infected devices, parts of the Predator spyware still remain unexplored. Predator was developed by Cytrox, which is based in North Macedonia and sells commercial spyware and other surveillance tools. Cytrox is also behind another spyware called Hermit, which has been used to hack into the smartphones of journalists and activists in India. Predator is not the only spyware being used to target high-risk users. Another example is Pegasus, developed by the Israeli company NSO Group. Pegasus can also hack and track Android and iOS smartphones. Pegasus has been used to spy on journalists, human rights activists, politicians, and businessmen around the world. Apple, one of the smartphone makers targeted by Predator and Pegasus attacks, has launched a new security feature called "Lockdown Mode" in iOS 16, iPadOS 16, and macOS Ventura. This feature blocks certain features to provide maximum protection against "targeted cyber attacks."
