Smartphone malware sold to governments around the world can covertly record voice calls and nearby audio, collect data from apps like Signal and WhatsApp, and hide or prevent apps from running after the device reboots, researchers at Cisco’s have found. Talos security team discovered.
An analysis published Thursday by Talos provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator was developed by Cytrox, a company that Citizen Lab says is part of an alliance called Intellexa, “a marketing label for a range of mercenary vendors that emerged in 2019.” Other companies in the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd. and Senpai.
Last year, researchers from Google’s Threat Analysis Group, which tracks cyberattacks conducted or funded by nation states, reported that Predator had bundled and sold five separate zero-day exploits into a single package to various government-backed actors. These buyers then used the package in three different campaigns. The researchers said Predator worked closely with a component known as Alien, which “lives within multiple privileged processes and receives commands from Predator.” The commands include recording audio, adding digital certificates, and hiding apps.
Citizen Lab, meanwhile, has said that Predator is being sold to a wide variety of government actors from countries such as Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. Citizen Lab further said that Predator had been used to target Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an exiled Egyptian journalist who hosts a popular news program and wishes to remain anonymous.
Unknown until now
Most of Predator’s inner workings were previously unknown. That has changed now that Talos has acquired significant pieces of malware written for Android devices.
According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous beliefs, Alien is more than just a Predator loader. Rather, it actively implements the low-level capabilities Predator needs to guard its victims.
“New analysis from Talos has exposed the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component it deploys, known as ‘ALIEN’,” said Thursday’s post. “Both components work together to bypass the traditional security features of the Android operating system. Our findings reveal the extent of the interconnectedness of abilities between PREDATOR and ALIEN, providing evidence that ALIEN is much more than just a loader for PREDATOR as previously thought.
In the sample that Talos analyzed, Alien grabbed targeted devices by exploiting five vulnerabilities – CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 – the first four of which Google Chrome, and the last Linux and Android.
Alien and Predator work hand-in-hand to get around restrictions in the Android security model, especially those enforced by a protection known as SELinux. Among other things, SELinux on Android monitors access to most sockets, which serve as communication channels between various running processes and are often misused by malware.
One method of doing this is loading Alien into the memory space reserved for Zygote64, which is the method Android uses to launch apps. This maneuver allows the malware to better manage the stolen data.
“Storing the recorded audio in a shared memory area using ALIEN, then saving it to disk and exfiltrating it using PREDATOR can circumvent this limitation,” Talos researchers wrote. “This is a simplified view of the process – note that ALIEN is injected into the zygote address space to run to specialized privileged processes within the Android permissions model. Since zygote is the parent process of most Android processes, it can change to most UIDs and transition to other SELinux contexts that have different privileges, so this makes zygote a great target to launch operations that require multiple sets of permissions.
Predator, in turn, relied on two additional components:
- Tcore is the main component and contains the main spyware functionality. Its spying capabilities include recording audio and collecting information from Signal, WhatsApp and Telegram and other apps. Peripheral features include the ability to hide applications and prevent applications from running on device restart.
- Kmem, which provides arbitrary read and write access to the kernel’s address space. This access comes thanks to Alien exploiting CVE-2021-1048, which allows the spyware to perform most of its functions.
The deep dive will likely help engineers build better defenses to detect and prevent the Predator spyware from acting as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.
