New capabilities discovered in Android spyware ‘Predator’

Target Industry

Indiscriminate, opportunistic targeting.

Overview

The Cisco owned cyber security group Talos has recently discovered that the Android targeting ‘Predator’ malware features more capabilities than initially believed, based on recent research. Developed by the cyber intelligence firm Intellexa, the Android targeting spyware works in conjunction with its loader named ‘Alien’ to execute various data exfiltration operations where initially it was thought that Alien was only a loader.

Newly discovered capabilities of the malware are the exfiltration of phone calls and call capable applications’ audio recordings, information from messaging apps such as WhatsApp and Telegram, and application manipulation to prevent their execution. More features may be discovered as the research group stated that a full analysis of both Alien and Predator has yet to be completed.

Initial infection from the malware works by Alien being injected into the “Zygote” process where Predator is then downloaded. After the malware is downloaded, dedicated storage for the stolen data is created and manipulation is done to ensure that the malware is not detected. Following this, both Alien and Predator will work together to execute various snooping activities to store and exfiltrate stored information.

Impact

In the event of successful infection from Predator and Alien, various sensitive information will be exfiltrated and sold to malicious actors or used for further manipulation. Use of this sensitive data depending on the target could lead to victims being blackmailed, loss of employment if company data is involved and stolen organisational data could be used to launch a large-scale sophisticated attack which could cause irreparable damage to organisations or individual’s livelihoods.

Vulnerability Detection

A comprehensive endpoint detection and response (EDR) solution, such as Microsoft Defender, can provide additional protection against ransomware threats like Alien or Predator. EDRs can alert system users of potential breaches and prevent further progress, prior to the malware being able to implement significant damage.

Affected Products

Android OS.

Containment, Mitigations & Remediations

As mentioned previously, it is recommended that a EDR solution is implemented which will allow for the prevention or mitigation of potential attacks from a wide range of threats in real time.

All devices should implement the most recent vendor updates available as these will contain updates to their security features to help prevent exploitation from known threats.

When visiting new sites on the device it is recommended to be wary of the authorisation of cookie usage as this can lead to the initial infection by ensuring only trusted sites are being accessed.

Indicators of Compromise

Predator associated file hashes (SHA256):

8e4edb1e07ebb86784f65dccb14ab71dfd72f2be1203765b85461e65b7ed69c6

Predator associated URLs:

hxxps[:]//redirecting[.]page:443/9cdfb439c7876e703e307864c9167a15/vsk/afile

Threat Landscape

Due to the increased popularity of smartphones and particularly those using the open-source operating system Android, they have become a prime target for attacks as many individuals will store large amounts of personal information on them which can be exploited.

As cyber attacks have developed, information has become the most valuable resource for malicious groups as it can be sold or used to execute large-scale attacks for greater intelligence or monetary gain. The use of spyware has become increasingly relevant to achieve this.

Threat Group

Initially developed by the Israeli cyber security group Intellexa, the malware is commercially available to be bought by anyone and therefore has not been attributed to any particular group.

Mitre Methodologies

Initial Access

T1566 – Phishing

Execution

T1204.001 – Malicious Link

T1204.002 – Malicious File

Further Information

Mercenary mayhem: A technical analysis of Intellexa’s PREDATOR spyware