A recent analysis of the advanced commercial spyware known as Predator has unveiled that its capability to persist between reboots is presented as an “add-on feature,” dependent on the licensing options chosen by customers. Cisco Talos researchers Mike Gentile, Asheer Malhotra, and Vitor Ventura disclosed this information in a report, emphasizing the dynamic nature of the spyware’s functionalities.

“In 2021, Predator spyware lacked the ability to survive a reboot on infected Android systems (while it had this capability on iOS). However, by April 2022, that feature was made available as an option to their customers,” the researchers revealed.

Predator is a product of the Intellexa Alliance consortium, comprising Cytrox (later acquired by WiSpear), Nexa Technologies, and Senpai Technologies. Both Cytrox and Intellexa found themselves on the U.S. Entity List in July 2023 for their involvement in “trafficking in cyber exploits used to gain access to information systems.”

This latest insight follows a comprehensive examination by cybersecurity experts, providing insights into Predator’s workings, particularly its synergy with another component called Alien.

“Alien is crucial to Predator’s successful functioning, including the additional components loaded by Predator on demand,” explained Malhotra. “The relationship between Alien and Predator is extremely symbiotic, requiring them to continuously work in tandem to spy on victims.”

Predator, capable of targeting both Android and iOS, operates as a “remote mobile extraction system” and is sold through a licensing model that costs millions of dollars. The licensing fee is based on the initial exploit used for access and the number of concurrent infections, making it inaccessible to amateur cybercriminals.

Spyware like Predator and Pegasus (developed by NSO Group) often rely on zero-day exploit chains in Android, iOS, and web browsers as covert intrusion vectors. However, as Apple and Google enhance security measures, these exploit chains may become less effective, prompting spyware developers to reassess their strategies.

Intellexa’s business model includes delegating the setup of the attack infrastructure to customers, providing plausible deniability in case of campaign exposure. The hardware delivery method, known as Cost Insurance and Freight (CIF), enables Intellexa to claim limited visibility of the deployment locations.

Moreover, Intellexa incorporates geographic limitations tied to the license, restricting surveillance operations to a single phone country code prefix. This limitation can be relaxed for an additional fee, offering flexibility to customers.

Cisco Talos emphasized that while public exposure has successfully attributed offensive actors and campaigns in the private sector, it has had minimal impact on their ability to operate globally. The need for technical analyses and tangible samples for public scrutiny of mobile spyware was stressed, as this could drive detection efforts and impose development costs on vendors, forcing constant evolution of their implants.