Inner workings revealed for “Predator,” the Android malware that exploited 5 0-days

By | May 26, 2023
An image illustrating a phone infected with malware

Smartphone malware sold to governments around the world can surreptitiously record voice calls and nearby audio, collect data from apps such as Signal and WhatsApp, and hide apps or prevent them from running upon device reboots, researchers from Cisco’s Talos security team have found.

An analysis Talos published on Thursday provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, “a marketing label for a range of mercenary surveillance vendors that emerged in 2019.” Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai.

Last year, researchers with Google’s Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator had bundled five separate zero-day exploits in a single package and sold it to various government-backed actors. These buyers went on to use the package in three distinct campaigns. The researchers said Predator worked closely with a component known as Alien, which “lives inside multiple privileged processes and receives commands from Predator.” The commands included recording audio, adding digital certificates, and hiding apps.

Citizen Lab, meanwhile, has said that Predator is sold to a wide array of government actors from countries including Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Citizen Lab went on to say that Predator had been used to target Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wished to remain anonymous.

Unknown until now

Most of the inner workings of Predator were previously unknown. That has changed now that Talos obtained key parts of the malware written for Android devices.

According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, Alien is more than a mere loader of Predator. Rather, it actively implements the low-level capabilities that Predator needs to surveil its victims.

“New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as ‘ALIEN,’” Thursday’s post stated. “Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be.”

In the sample Talos analyzed, Alien took hold of targeted devices by exploiting five vulnerabilities—CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048—the first four of which affected Google Chrome, and the last Linux and Android.

Alien and Predator work hand in hand to bypass restrictions in the Android security model, most notably those enforced by a protection known as SELinux. Among other things, SELinux on Android closely guards access to most sockets, which serve as communications channels between various running processes and are often abused by malware.

One method for doing this is loading Alien into memory space reserved for Zygote64, the method Android uses to start apps. That maneuver allows the malware to better manage stolen data.

“By storing the recorded audio in a shared memory area using ALIEN, then saving it to disk and exfiltrating it with PREDATOR, this restriction can be bypassed,” Talos researchers wrote. “This is a simplified view of the process—keep in mind that ALIEN is injected into the zygote address space to pivot into specialized privileged processes inside the Android permission model. Since zygote is the parent process of most of the Android processes, it can change to most UIDs and transition into other SELinux contexts that possess different privileges. Therefore, this makes zygote a great target to begin operations that require multiple sets of permissions.”

Predator, in turn, relied on two additional components:

  • Tcore is the main component and contains the core spyware functionality. The spying capabilities include recording audio and collecting information from Signal, WhatsApp and Telegram, and other apps. Peripheral functionalities include the ability to hide applications and prevent applications from being executed upon device reboot.
  • Kmem, which provides arbitrary read and write access into the kernel address space. This access comes courtesy of Alien exploiting CVE-2021-1048, which allows the spyware to execute most of its functions.

The deep dive will likely help engineers build better defenses to detect the Predator spyware and prevent it from working as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.

Source