← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Researchers uncovered Android Spyware, Predator
WHITE Superpro 2023-05-29 Modified: 2023-05-29
73
IOCs
HIGH VOLUME
Predator, a commercial Android spyware programme marketed by the Israeli business Intellexa (formerly Cytrox), has had its internal workings thoroughly examined by security experts.
predatoralienspywarethreat advisorytop storylanding page top storythreatssecurexandroidquaileggsappliancecytroxtaloscve20211048python moduleapispythonmainexploitaugustrefreshhooks
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
ALIEN PREDATOR
Indicators of Compromise (73)
All FileHash-SHA256 URL hostname domain email CVE
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA256 d0028dc2ddf4cef7b2a912c5388f0aa641ab07a3d2399f9b33f6a3b0e550dfac 2023-05-29
FileHash-SHA256 54bcb53469e01468d0bb2f884e884cc292621863339e6f34ff6b1e91afb5d45c 2023-05-29
URL http://com.google.android.gm/u0a112 2023-05-29
URL http://com.google.android.gm/shared_prefs 2023-05-29
URL http://com.google.android.gm/databases 2023-05-29
URL http://com.google.android.gm/com.google.android.gm.ComposeActivityGmailExternal 2023-05-29
URL http://com.google.android.gm/10072 2023-05-29
URL http://com.google.android.gm/.ui.MailActivityGmail 2023-05-29
URL http://com.google.android.gm/.ConversationListActivityGmail 2023-05-29
FileHash-SHA256 a05e4656d74d023f349d37580f1bdb4d936e87da093b9ee7090720fc6409c88e 2023-05-29
hostname ww38.com.android.providers.media 2023-05-29
hostname ww25.com.android.providers.media 2023-05-29
domain providers.media 2023-05-29
hostname package.com.android.providers.media 2023-05-29
hostname 1.com.android.providers.media 2023-05-29
URL http://com.android.chrome/p.so 2023-05-29
URL http://com.android.chrome/org.chromium.chrome.browser.ChromeTabbedActivity 2023-05-29
URL http://com.android.chrome/org.chromium.chrome.browser. 2023-05-29
URL http://com.android.chrome/app_chrome/Default/Shortcuts-journalPK 2023-05-29
URL http://com.android.chrome/app_chrome/Default/Origin 2023-05-29
URL http://com.android.chrome/app_chrome/Default/GPUCache/67cb797134c6696f_0 2023-05-29
URL http://com.android.chrome/app_chrome/ 2023-05-29
URL http://com.tencent.mm/u0a13 2023-05-29
URL http://com.tencent.mm/tinker/patch-c6fe34fa/odex/classes2.dex 2023-05-29
URL http://com.tencent.mm/tinker/patch-a23313d9/dex/tinker_classN.apk 2023-05-29
URL http://com.tencent.mm/com.tencent.mm.plugin.webview.stub.WebViewStubProxyUI 2023-05-29
URL http://com.tencent.mm/com.tencent.mm.plugin.voip.ui.VideoActivity 2023-05-29
URL http://com.tencent.mm/com.tencent.mm.plugin.card.ui.CardHomePageUI 2023-05-29
URL http://com.tencent.mm/app_tbs/core_share/libwebp_base.so 2023-05-29
URL http://com.tencent.mm/MicroMsg/51c1371c1e432db6d1b5972125fe7f8b/AppBrandComm.db-wa 2023-05-29
URL http://com.tencent.mm/.ui.LauncherUI 2023-05-29
URL http://com.tencent.mm/.plugin.sns.ui.SnsUploadUI 2023-05-29
URL http://com.tencent.mm/.plugin.multitalk.ui.MultiTalkMainUI 2023-05-29
URL http://com.tencent.mm/.plugin.game.ui.GameCenterUI 2023-05-29
URL http://com.tencent.mm/.plugin.chatroom.ui.ChatroomInfoUI 2023-05-29
URL http://com.tencent.mm/.plugin.base.stub.WXEntryActivity (has extras)&nbsp 2023-05-29
URL http://com.tencent.mm/.plugin.base.stub.WXEntryActivity (has extras 2023-05-29
URL http://com.tencent.mm/.plugin.base.stub.WXBizEntryActivity (has extras)&nbs 2023-05-29
URL http://com.tencent.mm/.plugin.base.stub.UIEntryStub (has extras 2023-05-29
URL http://com.tencent.mm/.plugin.appbrand.ui.AppBrandLauncherUI 2023-05-29
hostname jp.naver.line.android 2023-05-29
hostname com.twitter.android 2023-05-29
hostname com.samsung.android.providers.media 2023-05-29
hostname com.instagram.android 2023-05-29
hostname com.google.android.providers.media 2023-05-29
hostname com.google.android.gm 2023-05-29
hostname com.android.providers.media 2023-05-29
hostname com.android.chrome 2023-05-29
hostname android.googlesource.com 2023-05-29
email talos-mercenary-spyware-help@external.cisco.com 2023-05-29
domain sqlimper.py 2023-05-29
domain pred.so 2023-05-29
domain loader.py 2023-05-29
domain libbinder.so 2023-05-29
domain libaudioutils.so 2023-05-29
domain libaudioflinger.so 2023-05-29
domain com.tencent.mm 2023-05-29
URL https://android.googlesource.com/platform/system/sepolicy/+/master/private/app_zygote.te#130 2023-05-29
CVE CVE-2021-1048 2023-05-29
CVE CVE-2021-37973 2023-05-29
CVE CVE-2021-37976 2023-05-29
CVE CVE-2021-38000 2023-05-29
CVE CVE-2021-38003 2023-05-29
URL http://com.android.providers.media/databases/calls.db 2023-05-29
URL http://com.android.providers.media/databases/calls.db-journal 2023-05-29
URL http://com.android.providers.media/databases/calls.db-shm 2023-05-29
URL http://com.android.providers.media/databases/calls.db-wal 2023-05-29
URL http://com.android.providers.media/databases/contacts2.db 2023-05-29
URL http://com.android.providers.media/databases/contacts2.db-shm 2023-05-29
URL http://com.android.providers.media/databases/contacts2.db-wal 2023-05-29
URL http://com.android.providers.media/databases/mmssms.db 2023-05-29
URL http://com.android.providers.media/databases/mmssms.db-shm 2023-05-29
URL http://com.android.providers.media/databases/mmssms.db-wal 2023-05-29
References (1)
↗ https://blog.talosintelligence.com/mercenary-intellexa-predator/