Predator Spyware Spreads: 11 Countries Targeted

Insikt Group has identified a new infrastructure purportedly utilized by operators of the commercial spyware Predator in at least 11 countries.

Through an examination of domains potentially employed for disseminating the software, experts pinpointed potential Predator clients in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, as well as Trinidad and Tobago.

Predator, an intricate spyware crafted by the Israeli consortium Intellexa, has been deployed since 2019 to infect devices running on Android and iPhone. It grants access to the device’s microphone and camera, in addition to all stored or transmitted data, including contacts, messages, photos, and videos, leaving minimal traces on the targeted device, thereby complicating its investigation.

Delivery Servers – servers utilized for the initial infection of target devices, typically hosting malicious content or vulnerability exploitation tools. These servers often feature domains masquerading as specific organizations’ websites, which could intrigue the target. Some domains disguise themselves as legitimate news portals, weather forecast sites, or specific companies to deceive the user into downloading the spyware.

VPS servers (situated above delivery servers) – These servers, positioned between the delivery servers and the spyware operators (in this case, Predator clients), may be used for anonymizing traffic, providing an additional layer of protection for operators, and complicating the tracking process of the attack source. VPS servers can manage data transmitted between the infected device and operators, meanwhile concealing the actual location and identity of the operators.

Infrastructure purportedly related to Predator clients. The higher-tier servers interacted with static addresses of internet providers within the country, likely linked to Predator clients.

Spyware technologies like Predator and Pegasus are marketed as tools intended for combating terrorism and utilized by law enforcement agencies. However, they are recurrently employed for targeted attacks against civil society, including journalists, politicians, and activists. For instance, in 2021, the phone of an Egyptian opposition politician was infected with Predator in a campaign believed to be orchestrated by the Egyptian government, according to experts at Citizen Lab.

Predator clients typically target high-profile individuals who may possess substantial intelligence value due to the high costs of deployment and payment per infection. The use of commercial spyware outside the scope of crime investigations and counter-terrorism efforts poses risks to the privacy, legal protection, or physical safety of the end targets, their employers, and entities engaging in such activities.

Last year, research groups Cisco Talos and Citizen Lab published a technical analysis of Predator and its loader, Alien, and revealed details of the spyware’s operation. Even after an in-depth analysis by experts, the sophisticated spyware remained enigmatic.