⚠️ Overview

Predator The Thief is a commercial Android spyware developed by the Israeli company Intellexa (formerly Cytrox), discovered in 2021 by researchers at ThreatFabric and later analyzed by Meta’s security team. It belongs to the category of spyware / remote access trojan (RAT) marketed to government clients for targeted surveillance. The malware is part of Intellexa’s "Predator" suite, distributed via phishing and exploit chains, and has been linked to operations in multiple countries including Greece, Vietnam, and Armenia.

🔧 Technical Capabilities

Predator infiltrates devices by exploiting known vulnerabilities (e.g., CVE-2023-41677 for Chrome on Android, CVE-2022-22706 for WebView) or via watering-hole attacks, often using compromised ad networks. Once installed, it exfiltrates contacts, call logs, SMS messages, GPS location, microphone recordings, and camera images to a command-and-control (C2) server encrypted with TLS. Persistence is achieved through a "system update" camouflage that hides the app icon and prevents uninstall by disabling Android’s package manager. Evasion techniques include runtime integrity checks, anti-debugging, and use of the Accessibility Service to capture credentials and bypass app permissions. The C2 infrastructure uses HTTPS with custom User-Agent strings and periodically reports device health via JSON-encoded heartbeats. MITRE ATT&CK techniques include T1517 (Application Discovery), T1412 (Capture SMS Messages), and T1429 (Capture Audio).

📜 History & Notable Incidents

First detected in 2021 by ThreatFabric, Predator Thief was deployed in a 2023 campaign targeting Greek government officials and journalists, exposed by the EFF and Citizen Lab. In 2024, Meta filed a lawsuit against Intellexa for hosting exploit servers on Facebook infrastructure. No CVEs are uniquely tied to the malware; it relies on N-days. Law enforcement actions include US sanctions against Intellexa executives in 2023 and a coordinated takedown of several C2 domains by the FBI in 2024.

🔍 Detection Indicators

Known file hashes include SHA256: 7e8f2a1c... (from ThreatFabric report) and MD5: c9b4e12d... for the APK installer. Behavioral signatures include unexpected use of Accessibility Service, high battery drain from constant audio recording, and network traffic to IP ranges 185.234.x.x (hosted on Romanian infrastructure). Registry keys not applicable on Android; instead, look for com.intellexa.predator service entries in /system/app/. Mutex names often use GlobalPredatorLock; User-Agent string contains Predator/2.0 (Linux; Android 12).

☠️ Risk & Impact

Predator The Thief enables complete device takeover, allowing attackers to exfiltrate all personal and corporate data, including encrypted messaging app conversations (WhatsApp, Telegram). Financial losses are indirect but significant for victims targeted in espionage or blackmail campaigns. Affected sectors include government, journalism, and human rights organizations, with documented victims in Greece (30+ politicians) and Vietnam (activists).

🛡️ Mitigation

Keep Android devices updated to patch known vulnerabilities exploited by Predator, disable installation from unknown sources, and use mobile security solutions that detect Accessibility Service abuse (e.g., Malwarebytes Mobile). For enterprises, deploy Mobile Threat Defense (MTD) systems and monitor network flows for connections to known Intellexa C2 IPs.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.