While Israeli cyberarms firm NSO Group’s ‘Pegasus‘ spyware dominated headlines, other groups quietly sold equally powerful spyware. Security researchers at Toronto-based Citizen Lab released a lengthy report on spyware called ‘Predator’ after finding it on an iPhone that had also been infected with NSO Group’s Pegasus.
Citizen Lab discovered Predator when an exiled Egyptian politician named Ayman Nour became suspicious because his phone was “running hot.” Researchers found Nour’s phone was infected with Pegasus and also identified other spyware, which researchers determined was Predator. They also connected Predator to Cytrox, based in North Macedonia.
Researchers also found Predator running on the phone of an Egyptian news show host who asked not to be named.
Both phones were iPhones running iOS 14.6 — the latest version at the time of the hacks — which suggests that Predator exploited a never-before-seen vulnerability in the iPhone’s software to infect the phones.
Techcrunch asked Apple about the vulnerability, but a company spokesperson declined to say whether Apple had patched it. Citizen Lab noted that it shared copies of “forensic artifacts” from its Predator investigation with Apple and that the iPhone-maker confirmed it was investigating.
Predator can survive a reboot, making it more persistent than Pegasus
Predator and Pegasus have similar feature sets and, according to Citizen Lab, Predator was delivered to Nour’s iPhone via a malicious link sent over WhatsApp. When Nour opened the link, Predator was able to gain access to the phone’s cameras and microphone, as well as pull data off the phone. Unlike Pegasus, however, Predator cannot silently infect a phone without user interaction. In other words, the spyware relies on user input, like clicking a malicious link, to activate.
Researchers said Predator makes up for that with persistence — the spyware can survive a reboot of an iPhone, which would typically clear out any spyware lurking in the phone’s memory. It does so by creating an automation using the Shortcuts feature built into iOS.
Meta banned Cytrox and other groups from its platforms
Techcrunch also detailed an effort by Facebook parent company Meta to ban surveillance-for-hire groups. Meta banned seven groups — including Cytrox — from its platforms and said it removed over 1,500 Facebook and Instagram accounts associated with the seven groups. Further, Meta said the accounts were used to send malicious links to targets in over 100 countries. The company alerted some 50,000 people it believes were targeted by these groups.
Citizen Lab said that Predator was likely being used by government customers in Armenia, Greece, Serbia, Indonesia, Madagascar, Oman, Egypt and Saudia Arabia. Meta’s investigation also found Predator customers in Vietnam, the Philippines and Germany.
While certainly concerning, it’s worth keeping in mind that these tools aren’t necessarily problems for the average person. Pegasus and Predator have so far been used to target journalists, politicians, human rights advocates and similar figures. Moreover, these spyware tools are commonly delivered through malicious links — as such, it’s a good idea to avoid clicking any link you receive, especially if it comes from an unfamiliar source.
You can read Citizen Lab’s full report here.