Smartphone malware sold to governments around the world can secretly record voice calls and nearby audio, collect data from apps like Signal and WhatsApp, and hide apps or prevent them from running across device reboots , researchers from Cisco’s Talos security team found.
An analysis published by Talos on Thursday provides the most detailed look at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator was developed by Cytrox, a company that Citizen Lab says is part of an alliance called Intellexa, “a marketing label for a range of mercenary surveillance vendors emerging in 2019.” Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai.
Last year, researchers at Google’s Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator bundled five separate zero-day exploits into one package and sold them of various actors supported by the government. These buyers continue to use the package in three separate campaigns. The researchers say that the Predator works closely with a component known as the Alien, which “lives inside many privileged processes and receives orders from the Predator.” Commands include recording audio, adding digital certificates, and hiding apps.
Citizen Lab, meanwhile, said the Predator was sold to several government actors from countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Citizen Lab went on to say that the Predator was used to target Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosted a popular news program and want to remain anonymous.
Unknown until now
Much of the inner workings of the Predator were previously unknown. That has changed now that Talos has acquired key pieces of malware written for Android devices.
According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, the Alien is more than just a Predator loader. Instead, it actively implements the low-level capabilities the Predator needs to monitor its prey.
“New analysis from Talos has uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with other spyware components deployed alongside it known as ‘ALIEN,'” it stated. in Thursday’s post. “The two components work together to bypass the traditional security features of the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that the ALIEN is more than a loader for PREDATOR as previously thought.
In the sample analyzed by Talos, Alien took over the targeted devices by exploiting five vulnerabilities—CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 affecting Google Chrome, and finally Linux and Android.
Alien and Predator work together to bypass restrictions in the Android security model, particularly those enforced by a protection known as SELinux. Among other things, Android’s SELinux closely monitors access to most sockets, which serve as communication channels between different running processes and are often abused by malware.
One way to do this is to load Alien into the memory space reserved for Zygote64, the method Android uses to launch apps. That maneuver allows the malware to manage the stolen data.
“By storing the recorded audio in a shared memory area using ALIEN, then saving it to disk and exfiltrating it using PREDATOR, this restriction can be bypassed,” the Talos researchers wrote. “This is a simplified view of the process – remember that ALIEN is injected into the zygote address space to pivot to special privileged processes within the Android authorization model. Because the zygote is the process parent of most Android processes, it can change to most UIDs and switch to other SELinux contexts with different privileges. Therefore, this makes zygote a good target for starting those operation that requires multiple permission sets.
The predator, in turn, relies on two additional components:
- Tcore is the main component and contains the core functionality of the spyware. Surveillance capabilities include audio recording and information gathering from Signal, WhatsApp and Telegram, among other apps. Peripheral functionalities include the ability to hide applications and prevent applications from executing on device reboot.
- Kmem, which provides arbitrary read and write access to the kernel address space. This access comes courtesy of Alien exploiting CVE-2021-1048, which allows the spyware to perform most of its functions.
A deeper dive will likely help engineers develop better defenses to detect Predator spyware and prevent it from working as designed. Talos researchers did not get versions of Predator made for iOS devices.