What is Predator spyware? Threat to mobile devices

Anton P. | December 06, 2022

Predator spyware is a smartphone surveillance threat sold commercially and targeting high-value targets. It is an iOS and Android malware, exploiting zero-day security flaws to gain access to devices. 

Predator spyware is a surveillance tool allegedly used by governments around the world. Spyware can capture text messages, calls, emails, photos, and a person’s location after taking control of a device. The increase in suspicions of governments purchasing spyware is one of the biggest concerns of the modern world. 

What is Predator spyware? Threat to mobile devices

What is Predator spyware? 

Predator spyware is commercial software that turns smartphones into surveillance tools. Developed by Cytrox, its buyers allegedly include nation-state actors in Egypt, Armenia, Greece, Madagascar, Côte d’Ivoire, Serbia, Spain, and Indonesia. 

Simply put, the hacks happen through malicious links, likely sent through instant messaging apps. Specialists predict that the main targets of Predator spyware include high-profile individuals, outspoken critics, journalists, and political figures. 

This story mirrors the scandal involving the NSO Group Pegasus, spyware similarly going after well-known individuals. In fact, spyware like Predator and Pegasus can overlap, as with Ayman Nour’s phone

Nour is the president of the Egyptian political opposition group, and his smartphone had tested positive for both Pegasus and Predator. So, experts believe that Pegasus and Predator spyware are two separate infections. 

Who is Cytrox? 

Cytrox is a company launched in Skopje, North Macedonia. It seems to have a corporate presence in Hungary and Israel. 

It describes its services as providing operation cyber solutions. Cytrox also appears to be a part of the Intellexa alliance, a set of surveillance tool vendors. 

Privacy is a BIG DEAL!


Distribution of Predator infection

In multiple examined campaigns for Predator spyware, attackers used one-time links sent over email or instant messaging apps. Also, Meta removed approximately 300 accounts associated with Cytrox on Facebook and Instagram. 

Usually, URL shorteners would be applied to hide link destinations. If targets clicked on these URLs, they would get briefly redirected to a fake page running the flaw exploit. 

Only after that would users land on the legitimate website. In fact, the attackers would deploy Allien, an Android malware responsible for activating Predator spyware. 

Predator spyware also depended on zero-day vulnerabilities that it would exploit to work. According to research, the exploited security flaws existed in the Chrome browser and Android operating system. Google recently became the browser with the most reported vulnerabilities in 2022. 

How does Predator spyware work? 

The threat analysis group Citizen Lab has provided many insights into Predator spyware. From these findings, we can identify the key aspects of this threat: 

  • Predator spyware targets iOS and Android devices and steals various logs from them.
  • Cytrox sells spyware and exploits for zero-day attacks necessary to infect devices and run infections. 
  • Predator likely targets high-profile individuals like politicians and journalists. 
  • Predator spyware persists after reboot by exploiting iOS automation features. 
  • A detected distribution channel for Predator is WhatsApp messages. Disturbingly, a zero-click exploit could trigger the installation of Predator.
  • The infected devices tend to overheat, which could raise possible red flags to unaware victims. 

When it comes to data Predator spyware can steal, it includes the following information: 

  • Login credentials 
  • Phone logs 
  • Text messages 
  • Photos
  • Audio recordings 
  • Browser data (like cookies)
  • Credit card credentials 
  • Folders and files 
  • Crypto files 
  • Gaming accounts from Discord and Steam 
  • Screenshots 

How to stay safe from Predator or other spyware?

Spyware can be a devastating infection for anyone. While threats like Predator spyware prefer high-profile targets, other variants can target anyone. Stalkerware is similar, usually available for sale, and turns malicious if installed without users’ knowledge. 

  • Avoid downloading unknown apps to your devices. Developers could hide apps’ true intentions to monitor behavior through obfuscated techniques. 
  • Patch software as soon as possible. Predator spyware did exploit some vulnerabilities that developers had fixed. The problem was that clients did not apply these updates. 
  • Do not click on random links, especially shortened URLs. Use particular techniques to check link safety before clicking. 
  • Try to open messages from sources and numbers you recognize. Vulnerabilities could allow spyware or other malware to infect you without much interaction with messages. Thus, be wary of the emails or text messages you receive. 
  • Use a full set of security tools. Install and enable firewalls, antivirus software, ad-blockers, phishing detectors, and VPNs

Long-term threat of surveillance-for-hire software 

Predator spyware is equally dangerous regarding digital security, privacy, and physical safety. NSO Group and its Pegasus already showcased the threat of spyware vendors selling surveillance tools to governments. 

Variants like Predator spyware prove that the threat is real, and more governments might explore the surveillance path. However, if you leave fewer security gaps, the less chance spyware or malware has to infect you.

Browse safely & anonymously with a VPN

Browse safely & anonymously with a VPN

Encrypt your internet traffic and defend against online snooping, hackers, governments, or ISPs.
Anton P.

Anton P.

Former chef and the head of Atlas VPN blog team. He's an experienced cybersecurity expert with a background of technical content writing.



© 2024 Atlas VPN. All rights reserved.