The Predator spyware and Alien bootloader have broader surveillance capabilities than previously thought, according to a report released Thursday by Cisco Talos with help from Canadian nonprofit Citizen Lab. The malware was found to be able to record voice calls and nearby sounds, collect Signal and WhatsApp data, and hide apps or prevent them from launching when the device is rebooted.

The Predator and Alien have been around since at least 2019 and are now part of a larger package developed by Cytrox called Intellexa, the marketing name for a series of rental surveillance vendors that emerged in 2019. Other companies in the consortium include Nexa Technologies (formerly Amesys), WiSpear/Passitora Ltd. and Senpai.

In a published report examining the Android version of the code, Talos suggests that Alien is not only a bootloader for Predator, but the two components work together to allow all kinds of spying and intelligence gathering on compromised devices. ” When these components are used together, they offer various opportunities for information theft, surveillance and remote access. ” – say the researchers.

A number of apps can secretly record audio of phone calls and VoIP apps, steal data and hide apps from Signal, WhatsApp, and Telegram, or prevent them from starting after a device restart. According to the documentation, like other spyware like Pegasus that don’t require user intervention to infect victims’ devices, Predator and Alien use zero-day vulnerabilities and other bugs to infect and hijack Android phones.

Talos admits that they don’t have access to all components of the spyware, without fully examining the code.” this list of possibilities should not be considered exhaustive. However, the company suggests that the features also include geolocation tracking, camera access, and a closed phone simulation, all of which make it easy to track a victim without their knowledge.