Security researchers have provided a detailed analysis of Predator, a commercial Android spyware marketed by the Israeli company Intellexa (previously Cytrox). Predator was initially discovered by Google's Threat Analysis Group in May 2022, and it leverages zero-day vulnerabilities in the Chrome web browser and Android.
The spyware, delivered through a loader component called Alien, is capable of recording audio from phone calls and VoIP apps, collecting contacts and messages (including from Signal, WhatsApp, and Telegram), hiding applications, and preventing them from running after rebooting the device.
Alien sets up the necessary capabilities for Predator to conduct surveillance, making it a versatile and dangerous tool. These types of spyware, such as Predator and NSO Group's Pegasus, are deployed through highly targeted attacks using zero-click exploit chains, which require no interaction from victims and enable code execution and privilege escalation.
The use of commercial spyware by threat actors has been on the rise, along with the increase in cyber mercenary companies providing these services. While these tools are intended for government use to combat serious crime and national security threats, they have been abused to surveil individuals such as dissidents, activists, journalists, and members of civil society.
Access Now, a digital rights group, uncovered evidence of Pegasus targeting individuals in Armenia, including NGO workers, journalists, a UN official, and a human rights ombudsperson. Similar abuses have been reported in Mexico, where the government allegedly used Pegasus against a senior official investigating military abuses. It is important to note that the use of spyware does not always have conclusive links to specific government agencies. The proliferation of such tools raises concerns about privacy and the potential for misuse by those in power.