Threat Management

Predator spyware examined

Share

Intellexa's commercial Predator spyware, which has been used in surveillance operations targeted at European politicians, Meta executives, and journalists, has been deploying its Alien loader to the 'zygote64' Android process to enable more spyware components, according to BleepingComputer. Aside from enabling arbitrary code execution and certificate poisoning, both the Predator spyware's Python modules and Alien facilitate audio recording, directory enumeration, and post-reboot app execution prevention, a report from Cisco Talos and Citizen Lab revealed. Once the Alien loader checks whether impacted devices are manufactured by Samsung, Huawei, Xiaomi, or Oppo, Predator spyware proceeds with content enumeration from directories with user messaging, browser, email, contact, and social media data, as well as private media files, while also deploying certificate poisoning to enable man-in-the-middle attacks. "From an attacker's perspective, the risks outweigh the reward, since with user-level certificates, the spyware can still perform TLS decryption on any communication within the browser," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.