Cisco Talos and Citizen Lab have conducted a technical analysis of the Android spyware ‘Predator’ and its loader ‘Alien,’ revealing its data-theft capabilities and operational details.
Developed and sold by Israeli company Intellexa, Predator has been associated with surveillance operations targeting journalists, European politicians, and Meta executives.
The spyware can record phone calls, gather information from messaging apps, hide applications, and circumvent Android security. Although some components of Predator remain unexplored, researchers speculate that they involve geolocation tracking, camera image capture, device power-off simulation, and kernel access.
Predator’s loader, Alien, exploits Android zero-day vulnerabilities to deploy itself and downloads additional spyware components based on a predetermined configuration.
By abusing SELinux’s contexts and bypassing its restrictions, Alien conceals the spyware’s activities within legitimate system processes. It communicates with Predator to execute commands discreetly while saving stolen data and recordings in shared memory space, evading detection by SELinux.
Predator itself, as the spearhead module, sets up a Python runtime environment to enable various espionage functions such as code execution, audio recording, certificate poisoning, application hiding, and directory enumeration.
The spyware enumerates user data directories from email, messaging, social media, and browser apps, as well as the victim’s contact list and private media files.
It employs certificate poisoning to install custom certificates that enable man-in-the-middle attacks for spying on TLS-encrypted network communication. However, these certificates are installed at the user level to avoid suspicion.
Two modules, ‘tcore’ and ‘kmem,’ are still missing from the analysis, but it is believed that ‘tcore’ performs geolocation tracking, camera image capture, and power-off simulation, while ‘kmem’ provides kernel access. These unanalyzed components remain a part of the unexplored territory of the Predator spyware.
