
A new analysis of a sophisticated commercial spyware called Predator reveals that its ability to persist between reboots is provided as an “add-on feature” and is dependent on the licensing options selected by customers.
“In 2021, the Predator spyware cannot be restarted on infected Android systems (it is also available on iOS),” Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura said in a report shared with The Hacker News. However, this functionality will be available to their customers by April 2022.”
Predator is a product of the Intellexa Alliance, which includes Cytrox (later acquired by WiSpear), Nexa Technologies and Senpai Technologies. Both Cytrox and Intellexa were placed on the Entity List by the United States in July 2023 for “trafficking network vulnerabilities used to gain access to information systems.”
More than six months ago, the cybersecurity vendor detailed the inner workings of Predator and its harmonious equation with another loader component called Alien.
“Alien is critical to the successful operation of Predator, including Predator’s on-demand add-ons,” Malhotra told The Hacker News at the time. “The relationship between the aliens and Predators is extremely symbiotic, requiring them to constantly work together to monitor their victims.”
From user to administrator: Learn how hackers gain total control
Learn the secret tactics hackers use to become administrators and how to detect and stop it before it’s too late. Register now for our webinar.
Join now
Predator, which targets Android and iOS, is described as a “remote action extraction system” that is sold in a licensed model that can cost up to millions of dollars depending on the exploits used for initial access and the number of concurrent infections. Stay away from script kiddies and novice criminals.
Spyware such as Predator and Pegasus developed by NSO Group often rely on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. But as Apple and Google continue to close security holes, these exploit chains may become ineffective, forcing them to start over.

However, it is worth noting that the companies behind the hired surveillance tools can also take full or partial exploit chains from vulnerability brokers and turn them into operational vulnerabilities that can be used to effectively compromise a target device.
Another key aspect of Intellexa’s business model is that it shifts the work of setting up attack infrastructure onto the customers themselves, leaving room for reasonable denial when attack activity is exposed (which it inevitably will be).
“Delivery of Intellexa’s support hardware is completed at the terminal or airport,” the researchers said.
“This method of delivery is known as Cost Insurance and Freight (CIF) and is part of the shipping industry’s terminology (‘Incoterms’). This mechanism allows Intellexa to claim that they have no knowledge of where the system will be deployed and where it will end up. . ”

Most importantly, Intellexa has “first-hand knowledge” of whether its customers are performing surveillance operations abroad, since these operations are inherently license-related, which by default are limited to a phone’s country code prefix.
However, this geographical restriction can be relaxed by paying an additional fee.

Cisco Talos notes that while public exposure of private sector attackers and their activities has been successful in attribution efforts, it has had little impact on their ability to conduct and grow their business globally, even though it may impact their customers, For example, as a government.
“This may increase costs by having them purchase or create new vulnerability chains, but these vendors appear to have acquired new vulnerability chains seamlessly, allowing them to exploit new vulnerability chains by jumping from one set of vulnerabilities to another. as a means of initial access to sustain business,” the researchers said.
“We need public disclosure of technical analysis of operational spyware and physical samples to allow for public scrutiny of malware. This public disclosure will not only allow for deeper analysis and drive detection efforts, but will also increase the number of vendors that can continually improve their implants.” Program development costs.”