Alien

The first two — exploitation and privilege escalation — are often grouped in exploit chains, which start by exploiting a remote vulnerability to obtain remote code execution (RCE) privileges... The report describes how adversaries exploited five different zero-day vulnerabilities to deliver ALIEN.

Intellexa’s ascension as a formidable entity in the spyware industry, adept in targeting both iOS and Android platforms ... having a fully working spyware targeting iOS and Android with one-click zero-day exploit.

Hooking the ioctl() API in the libbinder.so using an open-source library called xHook is one of the means it uses to communicate with PREDATOR... ALIEN attempts to hook the following APIs in the audio libraries being used by a process.

For example, the implant can inject code that was read earlier from “/system/fonts/NotoColorEmoji.ttf” into the system_server process memory for execution... The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.

For privilege escalation, the spyware is configured to use a method called QUAILEGGS, or, if QUAILEGGS is not present, it will use a different method called “kmem.” ... We assess that QUAILEGGS likely exploits the aforementioned zero-day vulnerability CVE-2021-1048.

Each of these call chains set up a process structure used to intercept specific ioctl commands, where the spyware uses the functionality of that process to abuse the SELinux context to grant different functionality to the other processes.

For example, the implant can inject code that was read earlier from “/system/fonts/NotoColorEmoji.ttf” into the system_server process memory for execution... The overall injection process is achieved using ptrace() and mmap() to inject the code into the target process.

The DEX file thus uses these hooks for two key purposes: Hiding Applications/packages : The plugin in the DEX can hook and filter out a specific package/application name from the list of installed packages and applications.

Hooking the ioctl() API in the libbinder.so using an open-source library called xHook is one of the means it uses to communicate with PREDATOR... ALIEN attempts to hook the following APIs in the audio libraries being used by a process.

During the initialization, it starts the download and calls its main_exec() function by importing it using dlsym(), thus initializing the main component of the spyware.

The spyware can also add certificates to the current user-trusted certificate authorities by writing the certificate authority’s (CA) public certificate to the path “/data/misc/user/0/cacerts-added”.

The spyware uses a variety of sources to gather information about the system. It will enumerate various directories on the file system and read multiple files to extract as much statically available data from the infected device.

If any of these manufacturers' names match, it will recursively enumerate the contents of the following directories on disk...

The implant gathers configuration information, but it will also collect contacts, calls and messaging information by copying the content of the files listed below... The content obtained is then written to “/data/local/tmp/wd/”, before being exfiltrated.

This spyware can record audio from different sources by several means. It can record from microphone, earpiece- and VOIP-based calls, using deep-level techniques like memcpy hooking inside audio-related processes, or more simply, creating a RECORD interface using the OpenSLES native library.

The ALIEN component configuration contains the URL to download the PREDATOR component... If needed, it will download the PREDATOR component from a hosting site defined in the configuration.