Alien And Predator Team Up To Take Over Andriods

Source: The Register Alien And Predator Team Up To Take Over Andriods

A Nightmare Team Up

Intellexa is a company who create commercial spyware, for sale to law enforcement and governments.  They named two of their spyware apps after famous movies, Alien and Predator, which can be installed invisibly on Android and iOS devices.   While it is technically legal for them to sell this spyware to various official bodies, the security community is less than enthused by their existence and spend a fair amount of resources trying to figure out just how this malware functions.  Recently Cisco Talos and The Citizen Lab made some interesting progress in their investigations.

It was believed that Alien was simply a program used to load Predator onto devices but their discovery suggests it is a lot more.  Alien is injected into the Zygote Android process via a variety of zero day vulnerabilities, of which Intellexa is quite versed, which then allows the invisible installation of the Predator spyware payload.  However it also seems to be capable of creating a create shared memory space to store captured audio and data, and add a SELinux context label to any apps it feels like, to help it avoid any security protections enabled on the phone.

Once Alien is on there it can also spread Predator processes across numerous threads to make it even harder to detect, not to mention allowing updates to Predator to ensure it can continue functioning even after vulnerabilities it originally leveraged are patched.  Predator itself can execute arbitrary code, hide applications or simply stop them from running, and install user certificates in addition to recording any audio on the device, or around it for that matter.

There is worse to read about these two spyware apps over at The Register, if your digestion isn’t already ruined.

Working with the Alien loader, the spyware also identifies the device manufacturer. If it's made by Samsung, Huawei, Oppo or Xiaomi, the implant will recursively enumerate contents from several directories including messaging, contacts, media, email, social media and browser apps before exfiltrating the victim's data.

Video News

About The Author

Jeremy Hellstrom

Call it K7M.com, AMDMB.com, or PC Perspective, Jeremy has been hanging out and then working with the gang here for years. Apart from the front page you might find him on the BOINC Forums or possibly the Fraggin' Frogs if he has the time.

Leave a reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Latest Podcasts

Archive & Timeline

Previous 12 months
Explore: All The Years!