Cisco Talos, the IT security offshoot of the US network supplier Cisco Systems, has published new details on how the state Trojan Predator works. The spyware is manufactured and distributed by the Intellexa consortium based in Greece and its subsidiary Cytrox. Until now, all that was known was that its abilities are said to be similar to the infamous Pegasus spyware from the Israel-based NSO Group. The IT security researchers are now providing an overview of how Predator nests in smartphones and other mobile devices with the Google Android operating system after infection and reads out stored information and ongoing communication.
Arbitrary code executed, faking shutdown
The Predator components studied by Talos suggest that the spy software can secretly record nearby voice calls and audio, collect data from apps like Signal and WhatsApp, and hide programs or prevent them from launching, among other things. According to the experts in a blog entry the state Trojan is also able to execute arbitrary source code, add security certificates and read system and configuration data. According to him, functions such as location tracking or camera access may have been implemented in other modules that the team has not yet been able to examine more closely. There is probably also an option to give the impression that the phone is switched off.
Last year, researchers from Google’s Threat Analysis Group (TAG) stated that Predator five separate zero-day exploits to exploit previously unknown vulnerabilities bundles. These are the vulnerabilities CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003 discovered in 2021, which affect all Google Chrome browsers, and CVE-2021-1048 in Linux and Android . The spyware worked closely with a component called Alien, it was said at the time. This latches into “multiple privileged processes” and receives “orders from Predator”.
The Talos Group is now revealing “the extent of the intertwining of abilities” between the Predator and Alien. The latter module not only ensures that the actual spyware is loaded, as previously assumed. Rather, both building blocks worked closely together to bypass traditional Android security features such as SELinux.
Other components – SELinux bypassed
According to the article, one method for doing this is to load Alien into the memory area reserved for the “mother process” Zygote. Zygote makes certain system resources available to all apps. This maneuver allows the malware to better manage harvested data. Alien is “injected into the zygote address space,” the researchers write, “to get into special privileged processes within the Android permissions model.” The module can change user IDs and switch to other SELinux contexts with higher authorizations.
Recommended Editorial Content
With your consent, an external survey (Opinary GmbH) will be loaded here.
Always load polls
In principle, Alien and Predator could be used against Android and iOS mobile devices, the experts explain. The components they analyzed were developed specifically for the Google environment. They would not have had counterparts for the Apple operating system. To escalate privilege, the spyware is configured to use a method called Quaileggs. This probably exploits the CVE-2021-1048 vulnerability, which was basically fixed in September 2020. However, some Google Pixel phones remained vulnerable until March 2021 and Samsung devices until at least October 2021.
The Talos team assumes that Predator contains at least two other components with tcore and kmem. The latter are sometimes used as an alternative to Quaileggs. The tcore Python module is loaded by Loader.py, one of the core elements, “after all initializations are complete”. However, the researchers did not have access to these components.
Trojans “particularly versatile and dangerous”
Spyware vendors put a lot of effort into making the final payload difficult to detect, analyze, and prevent, Talos says in general. They are interested in sequences “that often require little or no user interaction”. Predator has been around since at least 2019 and is designed in such a way that new Python-based modules can be deployed without having to exploit new vulnerabilities. This makes the Trojan “particularly versatile and dangerous”. The analysis is designed to help developers develop better defense techniques, as well as detect the spyware and block its functions.
For many months, Intellexa’s main product has been at the center of the Greek spy scandal, which the European Parliament’s Pegasus investigative committee is also investigating. According to the spyware hunters at the Citizen Lab at the University of Toronto, the manufacturer with Israeli roots sold the program also goes to Armenia, Egypt, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia. In this country it has been known since the beginning of the year that the Zitis hacking authority is interested in the state Trojan.