A nightmare team
Intellexa is a company that creates commercial spyware for sale to law enforcement agencies and governments. They named two of their spyware apps after famous movies, Alien and Predator, which can be installed silently on both Android and iOS devices. While it is technically legal for them to sell this spyware to various official bodies, the security community is less than enthusiastic about their existence and spends a fair amount of resources trying to figure out how this malware works. Cisco Talos and The Citizen Lab recently made some interesting advances in their investigations.
Alien was believed to simply be a program used to load Predator onto devices, but their discovery suggests it’s much more. Alien is injected into the Zygote Android process through a variety of zero day vulnerabilities, which Intellexa is quite adept at, which then allows for the Predator spyware payload to be stealthily installed. However it also appears to be able to create a shared memory space created to store captured audio and data, and add a SELinux context label to whatever app it feels like, to help it bypass any security protections enabled on the phone.
Once the Alien is present, it can also spread Predator processes across numerous threads to make it even harder to detect, not to mention it allows updates to the Predator to ensure it can continue to run even after the vulnerabilities it originally exploited are be corrected. The Predator itself can execute arbitrary code, hide applications or simply stop them from running and install user certificates as well as record any audio on or around the device.
