Alien versus Predator? No, this Android spyware works together

The Android Predator spyware has more surveillance capabilities than previously suspected, according to analysis by Cisco Talos, with an assist from non-profit Citizen Lab in Canada.

Predator and its loader Alien have been around since at least 2019, and are part of a larger suite developed by Cytrox, now called Intellexa. The software, which is designed to spy on and extract data from the devices it's slipped into, is available for Google Android and Apple iOS.

In its deep dive published on Thursday, which examines the Android version of the code, Talos suggests Alien is more than just a loader for a Predator, and that the two work in combination to enable all kinds of espionage and intelligence-gathering activities on compromised devices.

"When used together, these components provide a variety of information stealing, surveillance and remote-access capabilities," the researchers said. 

This includes recording audio from phone calls and VoIP apps; stealing data from Signal, WhatsApp and Telegram; and even hiding applications or preventing them from running after a device reboots.

However, Talos admits they don't have access to all the spyware's components, so without a full examination of the code, "this capability list should not be considered exhaustive," they add. Still, Talos theorizes that the surveillance capabilities include geolocation tracking, camera access, and making it appear that the phone has powered off — which makes it easier to spy on a victim without their knowledge.

Like fellow snoopware Pegasus, which needs zero user interaction to infect victims' devices, Predator and Alien have been documented exploiting zero-days and other vulnerabilities to infect and take over Android phones.

First, Alien is injected into the Zygote Android process from which applications are forked and launched. Once running within that special system process, it downloads the latest version of Predator as well as the app's communication and synchronization components. Alien can also create shared memory space for the stolen audio and data, and a SELinux context to help it bypass Android security features and avoid detection.

• Ex-Meta security staffer accuses Greece of spying on her phone
• Predator spyware sold with Chrome, Android zero-day exploits to monitor targets
• This legit Android app turned into mic-snooping malware – and Google missed it
• EU proposes spyware Tech Lab to keep Big Brother governments in check

"Alien is not just a loader but also an executor — its multiple threads will keep reading commands coming from Predator and executing them, providing the spyware with the means to bypass some of the Android framework security features," Talos said.

Predator, meanwhile, is an ELF file that uses Python modules and native code to perform its spying activities. These include arbitrary code execution, audio recording — from microphone, earpiece- and VOIP-based calls, creating user-level certificates, and hiding applications or preventing them from executing when the device reboots.

Working with the Alien loader, the spyware also identifies the device manufacturer. If it's made by Samsung, Huawei, Oppo or Xiaomi, the implant will recursively enumerate contents from several directories including messaging, contacts, media, email, social media and browser apps before exfiltrating the victim's data. See the Talos report for the full technical details. ®