Predator: The new competitor for Pegasus spyware can hack anyone using Android phones and Chrome browser

Researchers from Google Threat Analysis Group (TAG) report that in 2021, software development firm Cytrox sold Predator spyware to various hacking groups backed by state actors. These attacks are based on exploiting four flaws in Chrome tracked as CVE-2021-37973, CVE-2021-37976, CVE-2021-38000 and CVE-2021-38003, and the CVE-2021-1048 Android flaw.

The report, by researchers Clement Lecigne and Christian Resell, attributes the purchase of this spy tool to hackers funded by countries such as Côte d’Ivoire, Egypt, Greece, Madagascar, Serbia, and Spain, among other countries.   

Spyware had already been a matter of international concern after it was confirmed that multiple governments did business with Israeli firm NSO Group to purchase Pegasus spyware. TAG estimates that there are at least 30 different spyware vendors globally.

While Pegasus is the most sophisticated spyware, Predator has broken into the market for zero-day spying malware and exploits. Both variants share similar characteristics, not to mention that they are employed for the same purposes.

The researchers mention that Predator is distributed through cropped links attached to phishing emails. If the target user clicks on these links, they are redirected to a malicious domain where the Alien malware is delivered, dropping the Predator payload.

Alien is hosted in some privileged processes to receive Predator commands, which will lead to audio capture, installation of malicious applications, and logging information from the infected device. 

In the exploitation campaigns of the flaw in Android, experts discovered that the malware abuses a zero-day vulnerability in JSON.stringfy, and a bug in the Linux kernel in the epoll() system call to obtain elevated privileges to hijack the affected system.

CVE-2021-1048 was addressed more than a year before Pegasus distribution began, although Android did not identify this as a security issue and many deployments remain vulnerable to this day.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.