Intellexa's commercial Predator spyware
, which has been used in surveillance operations targeted at European politicians, Meta executives, and journalists, has been deploying its Alien loader to the 'zygote64' Android process to enable more spyware components, according to BleepingComputer
Aside from enabling arbitrary code execution and certificate poisoning, both the Predator spyware's Python modules and Alien facilitate audio recording, directory enumeration, and post-reboot app execution prevention, a report from Cisco Talos and Citizen Lab revealed.
Once the Alien loader checks whether impacted devices are manufactured by Samsung, Huawei, Xiaomi, or Oppo, Predator spyware proceeds with content enumeration from directories with user messaging, browser, email, contact, and social media data, as well as private media files, while also deploying certificate poisoning to enable man-in-the-middle attacks.
"From an attacker's perspective, the risks outweigh the reward, since with user-level certificates, the spyware can still perform TLS decryption on any communication within the browser," said researchers.