Alien And Predator Team Up To Take Over Andriods

A Nightmare Team Up

Intellexa is a company who create commercial spyware, for sale to law enforcement and governments.  They named two of their spyware apps after famous movies, Alien and Predator, which can be installed invisibly on Android and iOS devices.   While it is technically legal for them to sell this spyware to various official bodies, the security community is less than enthused by their existence and spend a fair amount of resources trying to figure out just how this malware functions.  Recently Cisco Talos and The Citizen Lab made some interesting progress in their investigations.

It was believed that Alien was simply a program used to load Predator onto devices but their discovery suggests it is a lot more.  Alien is injected into the Zygote Android process via a variety of zero day vulnerabilities, of which Intellexa is quite versed, which then allows the invisible installation of the Predator spyware payload.  However it also seems to be capable of creating a create shared memory space to store captured audio and data, and add a SELinux context label to any apps it feels like, to help it avoid any security protections enabled on the phone.

Once Alien is on there it can also spread Predator processes across numerous threads to make it even harder to detect, not to mention allowing updates to Predator to ensure it can continue functioning even after vulnerabilities it originally leveraged are patched.  Predator itself can execute arbitrary code, hide applications or simply stop them from running, and install user certificates in addition to recording any audio on the device, or around it for that matter.

There is worse to read about these two spyware apps over at The Register, if your digestion isn’t already ruined.

Leave a Reply