Government-backed attackers are using Predator spyware to record audio, hide apps and more — here's everything you need to know about it

Government-backed attackers are using Predator spyware to record audio, hide apps and more — here's everything you need to know about it
Representational image.Canva
  • Google has warned users about Predator, new spyware being used by state-backed attackers.
  • The spyware has been developed by Cytrox, a company based in North Macedonia.
  • Here’s everything you need to know about the Predator spyware.
Google has a Threat Analysis Group (TAG) that is on the lookout for threats and vulnerabilities across devices and software that can be exploited by cybercriminals.

The TAG in its latest blog post has highlighted a spyware dubbed as Predator, which was installed by state-backed attackers in three separate campaigns by exploiting five zero-day vulnerabilities.

What is a zero-day vulnerability?

Before we understand how the Predator spyware works, it is important to understand what a zero-day vulnerability is.

Complimentary Tech Event
Discover the future of SaaS in India
The 6-part video series will capture the vision of Indian SaaS leaders and highlight the potential for the sector in the decades to come.Watch on Demand
Our Speakers
Girish Mathrubootham
Brian E. Taptich
A zero-day vulnerability is a vulnerability that has been disclosed but it is not yet patched. An attack that exploits zero-day vulnerability is known as a zero-day exploit.

What is the Predator spyware?

Google has claimed that Predator is relatively new spyware and has been created by surveillance company Cytrox, which is based in Skopje, North Macedonia.


Google has revealed that Predator spyware has been purchased by countries like Egypt, Armenia, Greece, Madagascar, Spain, and Indonesia among others.

How was Predator spyware used?

According to Google, the attackers delivered one-time links similar to URLs created by URL shortener services via email. Once the user clicks on the link, they are directed to an attacker-owned website that delivers the exploit and then redirects the user to a legitimate website.

When the user is directed to the attacker’s website, an Android malware dubbed ALIEN is installed on their device. The malware then loads Predator on the device. The spyware is capable of recording audio, hiding apps and adding CA certificates.

Google has pointed out that similar techniques have been used in the past against journalists and other victims.


Apple’s WWDC 2022 to begin on June 6 – events, expected announcements and more

Hackers are using a new fake chatbot trick to steal your data — here’s how to keep yourself safe

Google's Imagen can use text to make images, paintings, CGI renders using AI — here are some pictures