Predator: a commercial Android spyware
Security researchers from Cisco Talos have recently shared an in-depth analysis of the commercial Android spyware known as Predator, developed by Intellexa (previously Cytrox), an Israeli company. This spyware gained attention when Google’s Threat Analysis Group (TAG) discovered its involvement in targeted attacks that exploited five zero-day vulnerabilities in the Chrome web browser and Android operating system.
Predator, delivered through a loader component named Alien, possesses a wide range of capabilities. It can intercept and record audio from phone calls and VoIP applications, extract contacts and messages (including those from Signal, WhatsApp, and Telegram), hide applications, and even prevent specific applications from running after a device reboot.
According to Cisco Talos Alien is more than just a loader for Predator; it actively sets up the low-level capabilities required for Predator to spy on its victims. This spyware, along with others like NSO Group’s Pegasus, is typically employed in highly-targeted attacks that exploit zero-click exploit chains, allowing for code execution and privilege escalation without any victim interaction.
Talos describes Predator as an intriguing and versatile mercenary spyware that has been operational since at least 2019. It is designed to be adaptable, facilitating the delivery of new Python-based modules without the need for repeated exploitation. This flexibility makes Predator a significant threat.
Both Predator and Alien are adept at evading Android’s security mechanisms. Alien is injected into a core Android process called Zygote, which enables it to download and execute other spyware modules, including Predator, from an external server. The exact method by which Alien is activated on an infected device remains unknown, but it is suspected that shellcode execution through initial-stage exploits plays a role.
Alien’s capabilities extend beyond loading Predator; its multiple threads receive and execute commands from Predator, enabling the spyware to bypass certain Android framework security features, as explained by Cisco Talos.
Predator utilizes various Python modules to achieve a wide range of malicious activities, such as information theft, surveillance, remote access, and arbitrary code execution. Additionally, when running on Samsung, Huawei, Oppo, or Xiaomi devices, the spyware can add certificates to the store and enumerate the contents of specific directories on the disk.
Although much has been uncovered about Predator, critical components, including the main module called tcore and a privilege escalation mechanism named kmem, remain elusive. Cisco Talos speculates that tcore may include features like geolocation tracking, camera access, and the ability to simulate device shutdowns to covertly spy on victims.
The emergence of commercial spyware, like Predator, and the increasing number of cyber mercenary companies supplying such tools, have raised concerns. While these tools are initially intended for government use to combat serious crimes and national security threats, they have been abused to surveil dissidents, human rights activists, journalists, and other members of civil society.
Indicators of Compromise
Hash/Domain/Url |
---|
8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6 |
hxxps[:]//redirecting[.]page:443/9cdfb439c7876e703e307864c9167a15/vsk/afile |
llinkedin[.]net |
youtube[.]voto |
5m5[.]io |
qwert[.]xyz |
tly[.]link |
newslive2[.]xyz |
engine[.]ninja |
symoty[.]com |
alpineai[.]uk |
simetricode[.]uk |
tsrt[.]xyz |
blacktrail[.]xyz |
instegram[.]co |
getsignalapps[.]com |
covid19masks[.]shop |
charmander[.]xyz |
dragonair[.]xyz |
networkenterprise[.]net |
cellconn[.]net |
telenorconn[.]com |
xf[.]actor |
novosti[.]bid |
politika[.]bid |
bumabara[.]bid |
danas[.]bid |
kormoran[.]bid |
svetovid[.]bid |
in-politics[.]com |
paok-24[.]com |
enigmase[.]xyz |
ilnk[.]xyz |
teslal[.]xyz |
applepps[.]com |
playestore[.]net |
twtter[.]net |
youtub[.]app |
atheere[.]com |
nabde[.]app |
bity[.]ws |
cut[.]red |
invoker[.]icu |
snapfire[.]xyz |
sniper[.]pet |
connectivitycheck[.]live |
connectivitycheck[.]online |
getsignalapps[.]live |
url-tiny[.]app |
bit-ly[.]link |
instagam[.]click |
instagam[.]photos |
ancienthistory[.]xyz |
download4you[.]xyz |
eagerfox[.]xyz |
fastuploads[.]xyz |
fireup[.]xyz |
mozillaupdate[.]xyz |
proupload[.]xyz |
quickupdates[.]xyz |
speedygonzales[.]xyz |
updates4you[.]xyz |
youarefired[.]xyz |
altsantiri[.]news |
hellasjournal[.]company |
tinyurl[.]cloud |
kathimerini[.]news |
ereportaz[.]news |
protothema[.]live |
z2adigital[.]cloud |
omanreal[.]net |
jquery-updater[.]xyz |
lifestyleshops[.]net |
hellottec[.]art |
crashonline[.]site |
efsyn[.]online |
tovima[.]live |
heiiasjournai[.]com |
hempower[.]shop |
smsuns[.]com |
bmw[.]gr[.]com |
koenigseggg[.]com |
lamborghini-s[.]shop |
tesla-s[.]shop |
teslal[.]shop |
miniiosapps[.]xyz |
z2a[.]digital |
addons[.]news |
bit-li[.]ws |
mlinks[.]ws |
msas[.]ws |
weathear[.]live |
enikos[.]news |
stonisi[.]news |
wtc1111[.]com |
wtc2222[.]com |
iosmnbg[.]com |
mifcbook[.]link |
mitube1[.]link |
myfcbk[.]net |
myutbe[.]net |
webaffise[.]com |
affise[.]app |
teslali[.]com |
bit-li[.]com |
fastdownload[.]me |
link-m[.]xyz |
synctimestamp[.]com |
timeupdateservice[.]com |
updateservice[.]center |
youtubesyncapi[.]com |
static-graph[.]com |
adservices[.]gr[.]com |
cloudstatistics[.]net |
bitlyrs[.]com |
prmopromo[.]com |
supportset[.]net |
browsercheck[.]services |
forwardeshoptt[.]com |
servers-mobile[.]info |
bityl[.]me |
olxeg[.]com |
distedc[.]com |
gosokm[.]com |
olexegy[.]com |
egyqaz[.]com |
oilgy[.]xyz |
wavekli[.]xyz |
xyvok[.]xyz |
ewish[.]cards |
citroen[.]gr[.]com |
localegem[.]net |
orchomenos[.]news |
pdfviewer[.]app |
ube[.]gr[.]com |
tinyulrs[.]com |
nassosblog[.]gr[.]com |
infosms-a[.]site |
shorten[.]fi |
bookjob[.]club |
chatwithme[.]store |
etisalatgreen[.]com |
hopnope[.]xyz |
liponals[.]store |
newzeto[.]xyz |
nikjol[.]xyz |
telecomegy-ads[.]com |
tiol[.]xyz |
trecv[.]xyz |
trecvf[.]xyz |
trkc[.]online |
ffoxnewz[.]com |
bbcsworld[.]com |
redeitt[.]com |
koora-egypt[.]com |
mywebsitevpstest[.]xyz |
aramexegypt[.]com |
clockupdate[.]com |
cloudtimesync[.]com |
timestampsync[.]com |
updatetime[.]zone |
vodafonegypt[.]com |
itly[.]link |
api-apple-buy[.]com |
api-telecommunication[.]com |
timeupdate[.]xyz |
2y4nothing[.]xyz |
fbc8213450838f7ae251d4519c195138[.]xyz |
leanwithme[.]xyz |
livingwithbadkidny[.]xyz |
bitlly[.]live |
serviceupdaterequest[.]com |
edolio5[.]com |
hellasjournal[.]website |
elpais[.]me |
bank-alahly[.]com |
yallakora-egy[.]com |
alraeesnews[.]net |
carrefourmisr[.]com |
etisalategypt[.]tech |
ikea-egypt[.]net |
uberegypt[.]cn[.]com |
vodafoneegypt[.]tech |
solargroup[.]xyz |
qwxzyl[.]com |
pocopoc[.]xyz |
shortwidgets[.]com |
uservicescheck[.]com |
uservicesforyou[.]com |
adultpcz[.]xyz |
burgerprince[.]us |
cosmote[.]center |
url-promo[.]club |
advfb[.]xyz |
android-apps[.]tech |
businesnews[.]net |
canyouc[.]xyz |
cbbc01[.]xyz |
celebrnewz[.]xyz |
ios-apps[.]store |
landingpg[.]xyz |
landingpge[.]xyz |
mycoffeeshop[.]shop |
newzgroup[.]xyz |
omeega[.]xyz |
solargoup[.]xyz |
sportsnewz[.]site |
weathernewz[.]xyz |
weathersite[.]online |
worldnws[.]xyz |
apps-ios[.]net |
ps1link[.]xyz |
ps2link[.]xyz |
lexpress[.]me |
utube[.]to |
alraeeenews[.]com |
audit-pvv[.]com |
itcgr[.]live |
iibt[.]xyz |
connectivitychecker[.]com |
icloudeu[.]com |
icloudflair[.]com |
almasryelyuom[.]com |
youtu-be[.]net |
adibjan[.]net |
politique-koaci[.]info |
inservices[.]digital |
sextape225[.]me |
sinai-new[.]com |
pastepast[.]net |
link-protection[.]com |
getupdatesnow[.]xyz |
updatingnews[.]xyz |
lnkedin[.]org |
sephoragroup[.]com |
nabd[.]site |
zougla[.]news |
orangegypt[.]co |
xnxx-hub[.]com |
youtubewatch[.]co |
yuom7[.]net |
we-site[.]net |
tw[.]itter[.]me |
wha[.]tsapp[.]me |
ckforward[.]one |
contents-domain[.]com |
itter[.]me |
sitepref[.]xyz |
syncservices[.]one |
syncupdate[.]site |
updete[.]xyz |
utube[.]digital |
tsapp[.]me |
tly[.]gr[.]com |
wtc3333[.]com |
niceonase[.]com |
niceonesa[.]net |
goldenscent[.]net |
goldenscint[.]com |
goldescent[.]com |
nemshi[.]net |
flexipagez[.]com |
shortxyz[.]com |
shortenurls[.]me |
tinylinks[.]live |
mobnetlink1[.]com |
mobnetlink2[.]com |
mobnetlink3[.]com |
safelyredirecting[.]com |
speedymax[.]shop |
redirecting[.]page |
nemshi-news[.]live |
nemshi-news[.]xyz |
bit-ly[.]org |
cnn[.]gr[.]com |
insider[.]gr[.]com |
safelyredirecting[.]digital |
advertsservices[.]com |
tgrthgsrgwrthwrtgwr[.]xyz |
otaupdatesios[.]com |
speedy[.]sbs |
guardian-tt[.]me |
redirecting[.]live |
tribune-mg[.]xyz |
lexpress-mg[.]xyz |
linktothisa[.]xyz |
makeitshort[.]xyz |
md-news-direct[.]com |
shortely[.]xyz |
sports-mdg[.]xyz |
eg-gov[.]org |
guardnew[.]live |
guardnews[.]live |
actumali[.]org |
bitlinkin[.]xyz |
mytrips[.]quest |
conlnk[.]one |
limk[.]one |
linkit[.]cloud |
linkit[.]digital |
lylink[.]online |
shortmee[.]one |