Citizen Lab has released a new report highlighting the government’s widespread use of “Predator” spyware by North Macedonian developer Cytrox.
Researchers discovered that Predator had been used to attack two people in June 2021. The spyware “was able to infect the latest version (14.6) of Apple’s iOS operating system using one-link links clicks sent via WhatsApp, ”according to Citizen Lab.
The researchers added that Predator persists after restarting using the iOS automation feature. Apple did not respond to requests for comment on the spyware, but Citizen Lab said it had been notified and is investigating the issue.
Because WhatsApp is involved, Citizen Lab has also informed Meta of Predator’s action. Meta has announced that it is taking coercive action against Cytrox and removing around 300 Facebook and Instagram accounts linked to the spyware company.
The Meta security team found “a long list of similar domains used in social engineering and malware attacks.”
“Meta Report Says They Believe Cytrox Customers Include Entities In Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Ivory Coast, Vietnam, Philippines And Germany , and that they have identified additional abusive targeting initiated by Cytrox customers around the world, ”Citizen Lab explained.
Meta also deleted accounts linked to six other cyber surveillance companies, including Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, BellTroX and a Chinese limited company. The Meta report says companies have created more than 1,500 fake accounts targeting 50,000 users in at least 100 countries.
Exiled Egyptian politician Ayman Nour was one of two who had devices infected with Predator and Citizen Lab noted his phone was also infected with Pegasus, the spyware that made headlines for struggling spyware company NSO Group. . Citizen Lab said two different governments were spying on Nour at the same time during parts of 2021.
Citizen Lab’s reports on Pegasus and NSO Group have sparked international outrage and sparked global conversations about the proliferation of powerful spyware. The NSO group was blacklisted by the US government last month and this week faced calls for even tougher sanctions.
Cytrox, according to the report, is part of rival NSO group Intellexa, based in the European Union. The company was bought in 2018 by Israeli company WiSpear, according to Citizen Lab.
While searching for Predator spyware servers, Citizen Lab researchers found “probable” clients in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.
“We have confirmed the hacking of the devices of two individuals with Cytrox’s Predator spyware: Ayman Nour, an Egyptian political opposition member living in exile in Turkey, and an Egyptian journalist in exile who runs a popular news program. and wish to remain anonymous. Citizen Lab explained.
Nour became suspicious for the first time after observing that his iPhone was ‘hot’. We learned of Nour’s case and examined the logs on his phone. We attribute the attacks on both targets to the Egyptian government with moderate confidence in We performed an analysis that identified the Egyptian government as a Cytrox Predator client, websites used in the hack of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from numbers Egyptian WhatsApp. “
Further investigation into Nour’s phone revealed that he was hacked with Pegasus in March 2021 and that there was another attempt to hack his phone in June 2021 using the FORCEDENTRY exploit of the NSO group.
This report is the first investigation to discover that Cytrox’s mercenary spyware is being abused to target civil society. NSO Group has received disproportionate publicity in recent years, thanks to a growing customer list, abuse problems spiraling and groundbreaking investigative work by civil society, ”Citizen told Lab.
“Cytrox and its Predator spyware, on the other hand, are relatively unknown. The targeting of a single individual with both Pegasus and Predator underscores that the practice of civil society hacking transcends any specific mercenary spyware company. Instead, it’s a pattern that we believe will persist. as long as autocratic governments are able to obtain sophisticated hacking technology. In the absence of international and national regulations and safeguards, journalists, human rights defenders and opposition groups will continue to be hacked for the foreseeable future.