May 31, 2023

Cisco Talos researchers have detected “PREDATOR” smartphone malware produced by Cytrox. This virus is capable of discreetly recording voice calls, capturing adjacent audio, extracting data from messaging apps like as Signal and WhatsApp, and even hiding or disabling programs after a device reset.

Talos discovered that the malware has a “ALIEN” component, which was previously assumed to be inconsequential but is really critical to the virus’s composition. To avoid detection and analysis, spyware developers such as Cytrox and NSO Group employ innovative tactics such as zero-click and one-click attacks. Cytrox created a one-click vulnerability for deploying the “PREDATOR” malware. These attack sequences make detecting and defending against spyware challenging.

Talos analyzed the PREDATOR malware and discovered that it utilizes five vulnerabilities (CVE-2021-37973, CVE-2021-37976, CVE-2021-38000, CVE-2021-38003, and CVE-2021-1048) to bypass security features on Android devices. These vulnerabilities exploit weaknesses in Google Chrome, Linux, and Android, giving the malware control over the targeted devices.

ALIEN, working in conjunction with PREDATOR, plays a significant role in evading Android’s security measures, including SELinux restrictions. SELinux is responsible for protecting access to communication channels called sockets, which malware often misuses. By loading ALIEN into Zygote64, the memory space for launching apps on Android, the spyware gains greater control and management over stolen data.

The sources for this piece include an article in ArsTechnica.