Predator Mobile Malware

Government-backed threat actors are using a mobile malware threat tracked as Predator, to infect the mobile devices of select targets. The origins of the Predator threat have been linked to a commercial surveillance company called Cytrox. According to the findings of CitizenLab, Cytrox was first established as a North Macedonian start-up. Since then the company has established a corporate presence in Israel and Hungary and is believed to have supplied spyware and zero-day exploits to its clients. A report by Google's TAG (Threat Analysis Group) has confirmed that these threat actors are located in multiple countries across the world, including Egypt, Greece, Spain, Armenia, Côte d’Ivoire, Madagascar, and Indonesia.

Details about Predator

Predator is a spyware that can infect both iOS and Android devices. The threat is deployed to the devices via a previous-stage loader. In the three attack campaigns detailed in the Google TAG report, the loader was identified as ALIEN, a fairly simple malware implant that can inject itself into multiple privileged processes. Once established, the threat can receive commands from Predator via IPC. Some of the confirmed commands include making audio recordings, adding CA certificates, and hiding specific apps. On iOS devices, Predator can establish persistence by exploiting the iOS automation feature.

The infection chain of the three analyzed Android attack campaigns begins with the delivery of one-time links to the chosen targets via email. The links appear similar to those from URL shortener services. When the target clicks the provided link, they are redirected to a corrupted domain controlled by the attackers. There, the cybercriminals exploit zero and n-day vulnerabilities to compromise the device before opening a legitimate website in the victim's Web browser. If the initial link is not active, it will lead to a legitimate destination directly.