Security researchers from Cisco Talos have recently shared an in-depth analysis of the commercial Android spyware known as Predator, developed by Intellexa (previously Cytrox), an Israeli company. This spyware gained attention when Google’s Threat Analysis Group (TAG) discovered its involvement in targeted attacks that exploited five zero-day vulnerabilities in the Chrome web browser and Android operating system.

image

Predator, delivered through a loader component named Alien, possesses a wide range of capabilities. It can intercept and record audio from phone calls and VoIP applications, extract contacts and messages (including those from Signal, WhatsApp, and Telegram), hide applications, and even prevent specific applications from running after a device reboot.

According to Cisco Talos Alien is more than just a loader for Predator; it actively sets up the low-level capabilities required for Predator to spy on its victims. This spyware, along with others like NSO Group’s Pegasus, is typically employed in highly-targeted attacks that exploit zero-click exploit chains, allowing for code execution and privilege escalation without any victim interaction.

Talos describes Predator as an intriguing and versatile mercenary spyware that has been operational since at least 2019. It is designed to be adaptable, facilitating the delivery of new Python-based modules without the need for repeated exploitation. This flexibility makes Predator a significant threat.

image

Both Predator and Alien are adept at evading Android’s security mechanisms. Alien is injected into a core Android process called Zygote, which enables it to download and execute other spyware modules, including Predator, from an external server. The exact method by which Alien is activated on an infected device remains unknown, but it is suspected that shellcode execution through initial-stage exploits plays a role.

Alien’s capabilities extend beyond loading Predator; its multiple threads receive and execute commands from Predator, enabling the spyware to bypass certain Android framework security features, as explained by Cisco Talos.

Predator utilizes various Python modules to achieve a wide range of malicious activities, such as information theft, surveillance, remote access, and arbitrary code execution. Additionally, when running on Samsung, Huawei, Oppo, or Xiaomi devices, the spyware can add certificates to the store and enumerate the contents of specific directories on the disk.

Although much has been uncovered about Predator, critical components, including the main module called tcore and a privilege escalation mechanism named kmem, remain elusive. Cisco Talos speculates that tcore may include features like geolocation tracking, camera access, and the ability to simulate device shutdowns to covertly spy on victims.

The emergence of commercial spyware, like Predator, and the increasing number of cyber mercenary companies supplying such tools, have raised concerns. While these tools are initially intended for government use to combat serious crimes and national security threats, they have been abused to surveil dissidents, human rights activists, journalists, and other members of civil society.


Indicators of Compromise

Hash/Domain/Url
8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6
hxxps[:]//redirecting[.]page:443/9cdfb439c7876e703e307864c9167a15/vsk/afile
llinkedin[.]net
youtube[.]voto
5m5[.]io
qwert[.]xyz
tly[.]link
newslive2[.]xyz
engine[.]ninja
symoty[.]com
alpineai[.]uk
simetricode[.]uk
tsrt[.]xyz
blacktrail[.]xyz
instegram[.]co
getsignalapps[.]com
covid19masks[.]shop
charmander[.]xyz
dragonair[.]xyz
networkenterprise[.]net
cellconn[.]net
telenorconn[.]com
xf[.]actor
novosti[.]bid
politika[.]bid
bumabara[.]bid
danas[.]bid
kormoran[.]bid
svetovid[.]bid
in-politics[.]com
paok-24[.]com
enigmase[.]xyz
ilnk[.]xyz
teslal[.]xyz
applepps[.]com
playestore[.]net
twtter[.]net
youtub[.]app
atheere[.]com
nabde[.]app
bity[.]ws
cut[.]red
invoker[.]icu
snapfire[.]xyz
sniper[.]pet
connectivitycheck[.]live
connectivitycheck[.]online
getsignalapps[.]live
url-tiny[.]app
bit-ly[.]link
instagam[.]click
instagam[.]photos
ancienthistory[.]xyz
download4you[.]xyz
eagerfox[.]xyz
fastuploads[.]xyz
fireup[.]xyz
mozillaupdate[.]xyz
proupload[.]xyz
quickupdates[.]xyz
speedygonzales[.]xyz
updates4you[.]xyz
youarefired[.]xyz
altsantiri[.]news
hellasjournal[.]company
tinyurl[.]cloud
kathimerini[.]news
ereportaz[.]news
protothema[.]live
z2adigital[.]cloud
omanreal[.]net
jquery-updater[.]xyz
lifestyleshops[.]net
hellottec[.]art
crashonline[.]site
efsyn[.]online
tovima[.]live
heiiasjournai[.]com
hempower[.]shop
smsuns[.]com
bmw[.]gr[.]com
koenigseggg[.]com
lamborghini-s[.]shop
tesla-s[.]shop
teslal[.]shop
miniiosapps[.]xyz
z2a[.]digital
addons[.]news
bit-li[.]ws
mlinks[.]ws
msas[.]ws
weathear[.]live
enikos[.]news
stonisi[.]news
wtc1111[.]com
wtc2222[.]com
iosmnbg[.]com
mifcbook[.]link
mitube1[.]link
myfcbk[.]net
myutbe[.]net
webaffise[.]com
affise[.]app
teslali[.]com
bit-li[.]com
fastdownload[.]me
link-m[.]xyz
synctimestamp[.]com
timeupdateservice[.]com
updateservice[.]center
youtubesyncapi[.]com
static-graph[.]com
adservices[.]gr[.]com
cloudstatistics[.]net
bitlyrs[.]com
prmopromo[.]com
supportset[.]net
browsercheck[.]services
forwardeshoptt[.]com
servers-mobile[.]info
bityl[.]me
olxeg[.]com
distedc[.]com
gosokm[.]com
olexegy[.]com
egyqaz[.]com
oilgy[.]xyz
wavekli[.]xyz
xyvok[.]xyz
ewish[.]cards
citroen[.]gr[.]com
localegem[.]net
orchomenos[.]news
pdfviewer[.]app
ube[.]gr[.]com
tinyulrs[.]com
nassosblog[.]gr[.]com
infosms-a[.]site
shorten[.]fi
bookjob[.]club
chatwithme[.]store
etisalatgreen[.]com
hopnope[.]xyz
liponals[.]store
newzeto[.]xyz
nikjol[.]xyz
telecomegy-ads[.]com
tiol[.]xyz
trecv[.]xyz
trecvf[.]xyz
trkc[.]online
ffoxnewz[.]com
bbcsworld[.]com
redeitt[.]com
koora-egypt[.]com
mywebsitevpstest[.]xyz
aramexegypt[.]com
clockupdate[.]com
cloudtimesync[.]com
timestampsync[.]com
updatetime[.]zone
vodafonegypt[.]com
itly[.]link
api-apple-buy[.]com
api-telecommunication[.]com
timeupdate[.]xyz
2y4nothing[.]xyz
fbc8213450838f7ae251d4519c195138[.]xyz
leanwithme[.]xyz
livingwithbadkidny[.]xyz
bitlly[.]live
serviceupdaterequest[.]com
edolio5[.]com
hellasjournal[.]website
elpais[.]me
bank-alahly[.]com
yallakora-egy[.]com
alraeesnews[.]net
carrefourmisr[.]com
etisalategypt[.]tech
ikea-egypt[.]net
uberegypt[.]cn[.]com
vodafoneegypt[.]tech
solargroup[.]xyz
qwxzyl[.]com
pocopoc[.]xyz
shortwidgets[.]com
uservicescheck[.]com
uservicesforyou[.]com
adultpcz[.]xyz
burgerprince[.]us
cosmote[.]center
url-promo[.]club
advfb[.]xyz
android-apps[.]tech
businesnews[.]net
canyouc[.]xyz
cbbc01[.]xyz
celebrnewz[.]xyz
ios-apps[.]store
landingpg[.]xyz
landingpge[.]xyz
mycoffeeshop[.]shop
newzgroup[.]xyz
omeega[.]xyz
solargoup[.]xyz
sportsnewz[.]site
weathernewz[.]xyz
weathersite[.]online
worldnws[.]xyz
apps-ios[.]net
ps1link[.]xyz
ps2link[.]xyz
lexpress[.]me
utube[.]to
alraeeenews[.]com
audit-pvv[.]com
itcgr[.]live
iibt[.]xyz
connectivitychecker[.]com
icloudeu[.]com
icloudflair[.]com
almasryelyuom[.]com
youtu-be[.]net
adibjan[.]net
politique-koaci[.]info
inservices[.]digital
sextape225[.]me
sinai-new[.]com
pastepast[.]net
link-protection[.]com
getupdatesnow[.]xyz
updatingnews[.]xyz
lnkedin[.]org
sephoragroup[.]com
nabd[.]site
zougla[.]news
orangegypt[.]co
xnxx-hub[.]com
youtubewatch[.]co
yuom7[.]net
we-site[.]net
tw[.]itter[.]me
wha[.]tsapp[.]me
ckforward[.]one
contents-domain[.]com
itter[.]me
sitepref[.]xyz
syncservices[.]one
syncupdate[.]site
updete[.]xyz
utube[.]digital
tsapp[.]me
tly[.]gr[.]com
wtc3333[.]com
niceonase[.]com
niceonesa[.]net
goldenscent[.]net
goldenscint[.]com
goldescent[.]com
nemshi[.]net
flexipagez[.]com
shortxyz[.]com
shortenurls[.]me
tinylinks[.]live
mobnetlink1[.]com
mobnetlink2[.]com
mobnetlink3[.]com
safelyredirecting[.]com
speedymax[.]shop
redirecting[.]page
nemshi-news[.]live
nemshi-news[.]xyz
bit-ly[.]org
cnn[.]gr[.]com
insider[.]gr[.]com
safelyredirecting[.]digital
advertsservices[.]com
tgrthgsrgwrthwrtgwr[.]xyz
otaupdatesios[.]com
speedy[.]sbs
guardian-tt[.]me
redirecting[.]live
tribune-mg[.]xyz
lexpress-mg[.]xyz
linktothisa[.]xyz
makeitshort[.]xyz
md-news-direct[.]com
shortely[.]xyz
sports-mdg[.]xyz
eg-gov[.]org
guardnew[.]live
guardnews[.]live
actumali[.]org
bitlinkin[.]xyz
mytrips[.]quest
conlnk[.]one
limk[.]one
linkit[.]cloud
linkit[.]digital
lylink[.]online
shortmee[.]one