Dangerous Predator spyware hits Android phones — what to do

Android malware
(Image credit: Shuterstock)

As part of its ongoing efforts to make Android smartphones more secure, Google’s Threat Analysis Group (TAG) often spends its time looking for zero-day vulnerabilities which can be exploited by cybercriminals and other threat actors. These vulnerabilities pose a serious risk to users as they have been disclosed but have not yet patched.

In a new blog post, TAG highlights three separate campaigns that took place between August and October of 2021, in which state-backed attackers used five different zero-day vulnerabilities to install the Predator spyware on fully updated Android devices.

Unlike traditional malware, spyware like Predator and Pegasus is used against high-value targets such as journalists and politicians. For instance, in the campaigns discussed by Google, the number of targets was in the tens of users as opposed to the thousands or millions as was the case with Emotet and WannaCry before it.

Still though, spyware is something that everyone should be aware of and take steps to avoid falling victim to, given that an attacker can track your online activities across the web and build a profile on you.

What is the Predator spyware?

A spyware alert displaying on a smartphone.

(Image credit: David MG/Shutterstock)

According to Google, Predator is a relatively new spyware that believed to be created by the commercial surveillance company Cytrox, which is based in Skopje, North Macedonia. It was sold to government-backed threat actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain and Indonesia who used it to covertly spy on high-value targets like political rivals, journalists and other outspoken critics of their respective governments.

All three of the campaigns described in Google’s report used one-time links that mimicked popular URL shortener services which were sent to targeted Android users via email. If a user clicked on one of these links, they were redirected to an attacker-owned domain that delivered the zero-day exploits in question before redirecting their browser to a legitimate website.

The targeted Android devices were first infected with an Android malware known as Alien which is in charge of loading the Predator spyware. Alien receives commands from Predator which allow the spyware to record audio, add CA certificates and hide apps on a user’s device.

Why attackers often utilize zero-day vulnerabilities

Cybercriminals and other threat actors prefer to leverage zero-day vulnerabilities in their attacks as they have a wider attack surface. Once a patch for a vulnerability has been released, they can only target those who haven’t updated their systems or software. With zero-day vulnerabilities though, a patch has yet to be written and distributed, so there’s a much higher chance of their attacks being successful.

Even if you keep all of your software up-to-date, you could still fall victim to a zero-day attack, which is why Google’s Threat Analysis Group and others like it are constantly on the lookout for new zero-day vulnerabilities that have yet to be exploited in the wild. The reason behind this is that hopefully they can alert vendors before these vulnerabilities are discovered by cybercriminals and create a patch to fix them.

How to protect yourself from spyware

Woman using smartphone and laptop

(Image credit: Shutterstock)

Once spyware finds a new home on your device, it can be difficult to remove, as the goal of this type of malware is to remain undetected. As such, you’re better off taking preventative action sooner rather than later.

First off, you should install antivirus software on your computer or a mobile antivirus on your smartphone. It’s worth noting that Microsoft Defender comes pre-installed on all Windows PCs as is the case with Google Play Protect on Android smartphones. While a paid antivirus will give you more features, both of these products do a good job of protecting your devices from malware and other cyber threats.

To prevent becoming infected with spyware, Kaspersky recommends being cautious about consenting to cookies on the sites you visit, installing an anti-tracking browser extension and keeping all of your installed software updated with the latest patches. At the same time, it’s worth remembering that free software always comes at a cost and a lot of times, that can be access to your data.

Thankfully, spyware is generally only used against high-profile targets and not everyday users. However, if you believe that you’re at risk of being targeted by state-sponsored threat actors, you can always enroll in Google’s Advanced Protection Program for free though you may need to purchase several security keys to further safeguard your online accounts.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.