Smartphone malware sold to governments around the world can covertly record voice calls and nearby audio, collect data from apps like Signal and WhatsApp, and hide apps or prevent them from running when the device is rebooted, researchers at the Cisco Talos security team have found. .
IN analysis Talos, published on Thursday, provides the most detailed review of Predator, an advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab said is part of the Intellexa Alliance, “a marketing label for a range of hired video surveillance vendors launched in 2019.” Other companies in the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd. and Senpai.
Last year, researchers at Google’s Threat Intelligence Group, which monitors government-led or government-sponsored cyberattacks, reported that Predator bundled with five separate zero-day exploits in one package and sold it to various government-backed entities. These buyers used the package in three different campaigns. The researchers said the Predator worked closely with a component known as Alien, which “lives inside a few privileged processes and receives commands from the Predator.” Teams included recording audio, adding digital certificates, and hiding apps.
Meanwhile, Citizen Lab said the Predator is being sold to a wide range of government entities from countries such as Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. Citizen Lab went on to report that the Predator was used to attack Ayman Nur, an Egyptian political opposition member living in exile in Turkey and an Egyptian exiled journalist who runs a popular news program and requested to remain anonymous.
unknown so far
Much of the inner workings of Predator were previously unknown. This has changed now that Talos has obtained key pieces of malware written for Android devices.
According to Talos, the malware is based on Predator and Alien. Contrary to previous beliefs, the Alien is more than just a Predator loader. Rather, it actively implements the low-level capabilities that the Predator needs to spy on its victims.
“A new analysis of Talos has revealed the inner workings of PREDATOR and the mechanisms it uses to communicate with another spy component deployed alongside it, known as ‘ALIEN,'” the report said Thursday. “The two components work together to bypass traditional security features in the Android operating system. Our results show the degree of interweaving of features between PREDATOR and ALIEN, proving that ALIEN is much more than just a loader for PREDATOR as previously thought.”
In the sample analyzed by Talos, Alien took over target devices using five vulnerabilities – CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 – the first four of which affected Google Chrome , and in the last – Linux and Android.
Alien and Predator work hand in hand to bypass restrictions in the Android security model, primarily those imposed by the security known as SELinux. Among other things, SELinux on Android carefully guards access to most sockets, which serve as communication channels between various running processes and are often used by malware.
One way to do this is to load Alien into the memory space reserved for Zygote64, a method that Android uses to launch apps. This maneuver allows the malware to better manage the stolen data.
“By storing the recorded audio in a shared memory area with ALIEN, then saving it to disk and deleting it with PREDATOR, this limitation can be circumvented,” write the Talos researchers. “This is a simplified representation of a process – keep in mind that ALIEN is injected into the zygote address space to jump to specialized privileged processes within the Android permissions model. Because zygote is the parent process of most Android processes, it can change to most UIDs and change to other SELinux contexts with different privileges. Thus, this makes zygote an excellent target for initiating operations that require multiple sets of permissions.”
Predator, in turn, relied on two additional components:
- Tcore is the main component and contains the main functions of spyware. Spying capabilities include recording audio and collecting information from Signal, WhatsApp and Telegram and other applications. Peripheral features include the ability to hide apps and prevent apps from running when the device reboots.
- Kmem, which provides random read/write access to the kernel address space. This access is granted by Alien using CVE-2021-1048, allowing the spyware to perform most of its functions.
The deep dive will likely help engineers build better defenses to detect Predator spyware and prevent it from misbehaving. Talos researchers were unable to obtain versions of Predator designed for iOS devices.