Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Android Security

Inner Workings Revealed For 'Predator,' the Android Malware That Exploited 5 0-Days (arstechnica.com) 11

Posted by BeauHD from the unknown-until-now dept.
Researchers from Cisco's Talos security team have uncovered detailed information about Predator, a sophisticated spyware sold to governments worldwide, which can secretly record voice calls, collect data from apps like Signal and WhatsApp, and hide or disable apps on mobile devices. Ars Technica reports: An analysis Talos published on Thursday provides the most detailed look yet at Predator, a piece of advanced spyware that can be used against Android and iOS mobile devices. Predator is developed by Cytrox, a company that Citizen Lab has said is part of an alliance called Intellexa, "a marketing label for a range of mercenary surveillance vendors that emerged in 2019." Other companies belonging to the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd., and Senpai. Last year, researchers with Google's Threat Analysis Group, which tracks cyberattacks carried out or funded by nation-states, reported that Predator had bundled five separate zero-day exploits in a single package and sold it to various government-backed actors. These buyers went on to use the package in three distinct campaigns. The researchers said Predator worked closely with a component known as Alien, which "lives inside multiple privileged processes and receives commands from Predator." The commands included recording audio, adding digital certificates, and hiding apps. [...]

According to Talos, the backbone of the malware consists of Predator and Alien. Contrary to previous understandings, Alien is more than a mere loader of Predator. Rather, it actively implements the low-level capabilities that Predator needs to surveil its victims. "New analysis from Talos uncovered the inner workings of PREDATOR and the mechanisms it uses to communicate with the other spyware component deployed along with it known as 'ALIEN,'" Thursday's post stated. "Both components work together to bypass traditional security features on the Android operating system. Our findings reveal the extent of the interweaving of capabilities between PREDATOR and ALIEN, providing proof that ALIEN is much more than just a loader for PREDATOR as previously thought to be." In the sample Talos analyzed, Alien took hold of targeted devices by exploiting five vulnerabilities -- CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, CVE-2021-1048 -- the first four of which affected Google Chrome, and the last Linux and Android. [...] The deep dive will likely help engineers build better defenses to detect the Predator spyware and prevent it from working as designed. Talos researchers were unable to obtain Predator versions developed for iOS devices.
This discussion has been archived. No new comments can be posted.

Inner Workings Revealed For 'Predator,' the Android Malware That Exploited 5 0-Days More

Inner Workings Revealed For 'Predator,' the Android Malware That Exploited 5 0-Days

Comments Filter:

  • Well, the article claims "can be used against iOS" but provides no discussion of that. It's great to see an analysis of how it works on Android, but I'd expect a credible security site to provide a bit of justification for why it thinks this also impacts iOS. It would be sufficient, I suppose, to point back to the malware developer's claims it works on iOS, as a minimum, if Talos has no evidence it works on iOS.

    • From summary:

      Talos researchers were unable to obtain Predator versions developed for iOS devices.

      So what do you expect? Pure speculation?

      • "So what do you expect? Pure speculation?" That would be OK -if it was labeled as such-. Some source/justification/explanation for the "also iOS" comment would be appropriate, I think.

    • Re: (Score:2)

      by tlhIngan ( 30335 )

      Well, the article claims "can be used against iOS" but provides no discussion of that. It's great to see an analysis of how it works on Android, but I'd expect a credible security site to provide a bit of justification for why it thinks this also impacts iOS. It would be sufficient, I suppose, to point back to the malware developer's claims it works on iOS, as a minimum, if Talos has no evidence it works on iOS.

      Well, the malware has an iOS version. But they don't have a copy of that to analyze to figure out

  • I don't want to believe this (Score:3)

    by Canberra1 ( 3475749 ) on Saturday May 27, 2023 @02:55AM (#63554911)
    In the last round of cybersecurity hacks, the companies bleated key passwords were stolen from mobile devices - then amplified. There must be zero tolerance to back-doors. Yet is was sold it to various government-backed actors, and the cyber based authorities failed in their core responsibilities. I say let Huawei and other's in, because the failure was complete. Next, Android DID, once have a pretty good reputation. I am not sure how you could shoe in priv level loaders, unless binary blobs in the firmware were compromised. Hiding running tasks - how? I hope someone reconcilliates Android source code with these zero days and explains simply: How? Right now I suspect hidden manufacturer/OEM interfaces with evil payloads - that is not in the source code.
  • I'm never giving up my Palm Treo.

  • From CVE-2021-1048 [nist.gov], affecting Linux and Android, yet another avoidable self-own:

    In ep_loop_check_proc of eventpoll.c, there is a possible way to corrupt memory due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

    Severity: 7.8 HIGH
    Weakness Enumeration: CWE-416 [mitre.org] Use After Free

Slashdot Top Deals

"If it ain't broke, don't fix it." - Bert Lantz

Close