The learning threat: Predator spyware is more sophisticated than thought
The Predator spyware from Intellexa gains valuable data even from failed infection attempts and specifically targets IT security researchers.
(Image: janews/Shutterstock.com)
Recently, the Google Threat Intelligence Group dissected the powerful Predator spyware of the Intellexa consortium thoroughly once more. But what was considered a decisive insight into the state trojan's internals at the time was apparently just the tip of the iceberg. New research by the Threat Labs team of Apple specialist Jamf now paints a picture of malware whose technical level far exceeds previous assumptions. The developers have reportedly implemented functions that go beyond mere espionage. Instead, the program actively defends itself against detection and learns from mistakes.
Shield against the curious
A crucial aspect of the new findings concerns Predator's behavior in moments of failure or when detection is imminent. According to Jamf experts, a highly specialized "kill switch" has been documented that goes far beyond simple self-deletion routines. This function, they say, serves as the ultimate shield against security researchers.
If the spyware detects that it is being executed in an analysis environment or if certain iPhone security mechanisms are triggered, the analysis indicates that it activates the "kill switch." This not only erases traces. The software also deliberately ceases operation to hide its valuable exploits and communication channels from the eyes of forensic analysts.
This defense strategy is complemented by a precise diagnostic system. Jamf managed to document a complete taxonomy of error codes ranging from 301 to 311. These codes function as feedback channels for the attackers. If an infection attempt fails or the kill switch is activated, the spyware automatically sends an encrypted status message back to the control servers.
Feedback to control servers
The attackers thus learn exactly which security measure or researcher tool triggered the detection. This feedback system turns every successful defense reaction of an operating system into a source of information with which the attackers can specifically improve their tools for the next attempt.
In addition to this learning capability, Predator has erected further defenses against analysis by security researchers. The experts discovered functions for active process monitoring that search for traces of debug consoles or suspicious root CA certificates. The latter are often used in IT forensics to decrypt data traffic.
Even HTTP proxy detection is integrated to prevent researchers from intercepting communication between the infected device and the command-and-control servers. Also remarkable is Predator's ability to simply ignore or interpret the iOS developer mode as a warning signal to maintain its camouflage.
Videos by heise
Comparison with NSO Group's Pegasus
The findings underscore the professionalism of the Intellexa Alliance and, according to the researchers, show that the line between state actors and commercial spyware providers is technologically almost nonexistent. Predator is not a static tool but a dynamically adapting system. For users who might be targeted by such software due to their profile, this means a new level of threat: system security becomes an involuntary teacher for the attacker.
Compared to the notorious state trojan Pegasus from the NSO Group, which often infects devices via zero-click exploits without any user interaction, Predator primarily relies on one-click attacks via prepared links. Technically, both platforms are considered equal in their range of functions for spying on microphones, cameras, and encrypted chats. However, Pegasus is primarily optimized for maximum invisibility and silent infiltration. Predator stands out for its aggressive anti-analysis techniques. The program appears to be designed to proactively combat the IT security community.
In 2024, the operators of the platform for delivering and controlling the powerful Predator were forced to take several associated servers and other IT infrastructure components offline again. The strategy of human rights organizations and IT security researchers to name and shame black sheep in the state trojan industry seemed to be at least temporarily successful. The US government also tightened sanctions against the group at the time, which now also personally target Intellexa founder Tal Dilian and his right-hand man, Sara Hamou. The Intellexa Alliance is considered a consortium of dubious European companies that supplies cyberweapons not only to dictators. In Germany, the hacker authority Zitis is among its customers.
(vbr)
