We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Researchers Reveal Predator Spyware’s Data Theft Capabilities

Researchers Reveal Predator Spyware’s Data Theft Capabilities
Author Image Zane Kennedy
Zane Kennedy Published on 29th May 2023 Cybersecurity Researcher

Cybersecurity researchers at Cisco Talos and the Citizen Lab have delved into the inner workings of the notorious Predator Android spyware, shedding light on its sophisticated surveillance capabilities.

Developed by the Israeli company Intellexa (formerly known as Cytrox), Predator records phone calls, collects information from messaging apps (including WhatsApp), and even hides certain applications and prevents their execution. It has been implicated in targeted attacks against journalists, high-profile European politicians, and executives at Meta.

The Predator spyware exploits Android zero-day vulnerabilities, as disclosed by Google TAG in May 2022. By chaining multiple vulnerabilities together, the spyware could perform shellcode execution. This allowed it to deliver Predator's loader component, aptly named 'Alien’, onto the target device.

Alien, injected into the core Android process 'zygote64,' assumes a crucial role by establishing a foundation for Predator's malicious activities. Acting as both a loader and executor, Alien downloads additional spyware components based on a predefined configuration. It conceals these components within legitimate system processes, evading detection from Android security mechanisms such as SELinux.

Cisco Talos, who extensively examined the spyware, highlighted the spearhead module Predator. They explained that the component enters the device as an ELF file and sets up a Python runtime environment to enable various espionage functionalities.

Predator's Python modules, in collaboration with Alien, offer an extensive range of intrusive functionality. Alien recursively scans directories holding user data from messaging, social media, email, and browser apps. It also meticulously lists private files residing in the user's media folders, such as audio, images, and video.

One of the most alarming features of Predator is its ability to spy on TLS-encrypted network communications and even conduct man-in-the-middle attacks. It does this by installing custom certificates to the user's trusted certificate authorities at the user level. It’s believed that certificates are installed at the user-level as opposed to the system-level as it ensures the operation of the device isn't adversely affected, which could tip off the user that something is wrong.

As the investigation into Predator continues, researchers strive to unveil its complete functionality.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.