Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Skip to main content

What is Predator spyware, and how does it work?

Predator spyware is a smartphone surveillance threat sold commercially and targeting high-value targets. It is an iOS and Android malware that exploits zero-day security flaws to gain access to devices. After taking control of a device, spyware can capture text messages, calls, emails, photos, and a person’s location. Learn more about this spyware, its origin, and how to stay safe.

What is Predator spyware, and how does it work?

Table of Contents

Table of Contents

What is Predator spyware?

Predator spyware is commercial software that turns smartphones into surveillance tools. Developed by Cytrox, its buyers allegedly include nation-state actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia.

Simply put, the hacks happen through malicious links, likely sent through instant messaging apps. Specialists predict that the main targets of Predator spyware include high-profile individuals, outspoken critics, journalists, and political figures.

What is Cytrox?

Cytrox is a company launched in Skopje, North Macedonia. It seems to have a corporate presence in Hungary and Israel. Cytrox describes its services as providing operational solutions. It also appears to be a part of the Intellexa Alliance, a group of surveillance tool vendors.

Distribution of Predator infection

In multiple examined campaigns for Predator spyware, attackers used one-time links sent over email or instant messaging apps. Also, Meta removed approximately 300 accounts associated with Cytrox on Facebook and Instagram.

Usually, URL shorteners are applied to hide link destinations. If targets click on these URLs, they are briefly redirected to a fake page running the flaw exploit. Only after that would users land on the legitimate website. The attackers would deploy Allien, an Android malware responsible for activating Predator spyware.

Predator spyware also depended on zero-day vulnerabilities that it would exploit to work. According to research, the exploited security flaws existed in the Chrome browser and Android operating system.

How does Predator spyware work?

The threat analysis group Citizen Lab has provided many insights into Predator spyware. From these findings, we can identify the key aspects of this threat:

  • Predator spyware targets iOS and Android devices and steals various logs from them.
  • Cytrox sells spyware and exploits for zero-day attacks to infect devices and run infections.
  • Predator likely targets high-profile individuals like politicians and journalists.
  • Predator spyware persists after reboot by exploiting iOS automation features.
  • A detected distribution channel for Predator is WhatsApp messages. Disturbingly, a zero-click exploit could trigger the installation of Predator.
  • The infected devices tend to overheat, which could raise possible red flags to unaware victims.

When it comes to data Predator spyware can steal, it includes the following information:

  • Login credentials
  • Phone logs
  • Text messages
  • Photos
  • Audio recordings
  • Browser data (like cookies)
  • Credit card credentials
  • Folders and files
  • Crypto files
  • Gaming accounts from Discord and Steam
  • Screenshots

How to stay safe from Predator spyware

Spyware can be a devastating infection for anyone. While threats like Predator spyware prefer high-profile targets, other variants can target anyone. Stalkerware is similar, usually available for sale, and turns malicious if installed without users’ knowledge.

  • Avoid downloading unknown apps to your devices. Developers could hide apps’ true intentions to monitor behavior through obfuscated techniques.
  • Patch software as soon as possible. Predator spyware did exploit some vulnerabilities that developers had fixed. The problem was that clients did not apply these updates.
  • Do not click on random links, especially shortened URLs. Use particular techniques to check link safety before clicking.
  • Try to open messages from sources and numbers you recognize. Vulnerabilities could allow spyware or other malware to infect you without much interaction with messages. Thus, be wary of the emails or text messages you receive.
  • Use a full set of security tools. Install and enable firewalls, antivirus software, ad-blockers, phishing detectors, and a VPN.

Long-term threat of surveillance-for-hire software

Predator spyware is equally dangerous for digital security, privacy, and physical safety. NSO Group and its Pegasus have already highlighted the threat of spyware vendors selling surveillance tools to governments.

Variants like Predator spyware prove the threat is real, and more governments might explore the surveillance path. However, if you leave fewer security gaps, the less chance spyware or malware has to infect you.