Search This Blog

Powered by Blogger.

Blog Archive

Labels

Researchers Details the Licensing Model of Predator Spyware

Predator is a "remote mobile extraction system" that can target both Android and iOS.


A recent analysis of the sophisticated commercial spyware, Predator, reveals that its ability to persist between reboots is offered as an “add-on-feature” and is dependent upon the license options selected by the user, according to a recent analysis.

Predator is the result of a collaboration known as the Intellexa Alliance, which also comprises Senpai Technologies, Nexa Technologies, and Cytrox (later bought by WiSpear). In July 2023, the United States put Cytrox and Intellexa on its Entity List due to their "trafficking in cyber exploits used to gain access to information systems."

In regards to the issue, Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report, "In 2021, Predator spyware couldn't survive a reboot on the infected Android system (it had it on iOS[…]However, by April 2022, that capability was being offered to their customers."

The cybersecurity vendor first revealed the inner workings of Predator and its harmonic connection with another loader component named Alien more than six months ago. 

"Alien is crucial to Predator's successful functioning, including the additional components loaded by Predator on demand[…]The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims," Malhotra told cybersecurity firm Hackernews in an interview. 

Predator is a "remote mobile extraction system" that can target both Android and iOS. It is sold on a licensing model that can cost millions of dollars, depending on the number of concurrent infections and the exploit used for initial access. This puts Predator out of the reach of script kiddies and inexperienced criminals.

Spyware like Predator and Pegasus, which are designed by the NSO Group, often depend on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. However, if Apple and Google keep patching the security holes, these attack chains can become useless and they will have to start over.

It is significant to note that the organizations that create mercenary surveillance tools can also obtain whole or partial exploit chains from brokers and transform them into a functional exploit that can be used to successfully compromise target devices.

Another noteworthy aspect of Intellexa’s business model is that it gives the task of building the attack infrastructure, giving them some degree of plausible deniability if the campaigns are discovered—which is an inevitable outcome.

"The delivery of Intellexa's supporting hardware is done at a terminal or airport," the researchers said. "This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry's jargon ('Incoterms'). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located."

Furthermore, because the operations are intrinsically connected to the license, which is by default limited to a single phone country code prefix, Intellexa has "first-hand knowledge" of whether their customers are conducting surveillance activities outside of their own borders.  

Share it:

Intellexa

Predator

Predator spyware

Spyware

Spyware technology

Technology