Predator Spyware Operators Caught Exploiting Security Holes Now Patched by Apple and Google

Critical security flaws recently patched by Apple and Google were used to infect high-profile targets with Predator spyware, researchers at The Citizen Lab disclosed.

Several security flaws addressed by Apple and Google in iOS and Chrome were exploited by customers of Cytrox, a company known to develop and sell Predator spyware, according to The Citizen Lab at the University of Toronto.

The group, renowned for their fight against mercenary spyware, worked closely with Apple and Google in recent months to uncover multiple spyware attacks targeting high-profile individuals, as the two tech giants worked around the clock to patch actively exploited flaws in their flagship products – iPhones, iPads and Macs, Android devices, and the Chrome web browser.

While not all attacks can be attributed to a single threat actor, at least one campaign involved Egypt’s political scene.

The researchers say that former Egyptian MP Ahmed Eltantawy was targeted between May and September 2023 with Cytrox’s Predator spyware via links sent on SMS and WhatsApp.

The targeting took place after Eltantawy publicly stated his plans to run for president in the 2024 Egyptian elections, according to a report posted by the team in Toronto.

“In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection,” reads one of the key findings. “When Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.”

“Given that Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government with high confidence,” the researchers say.

The exploit chain used to deploy the malware on Apple devices leveraged three distinct vulnerabilities in iOS versions through 16.6.1.

The attackers also had an exploit chain to install Predator on Android devices – also in Egypt, according to a separate notice by Google’s Threat Analysis Group (TAG).

Apple customers are urged to update their devices to the latest versions: iOS 16.7 and iPadOS 16.7, iOS 17.0.1 and iPadOS 17.0.1, macOS Ventura 13.6, macOS Monterey 12.7, watchOS 9.6.3, watchOS 10.0.1.

All Apple users who may face increased risk because of their identity or their actions are instructed to enable Lockdown Mode – Apple’s words, not just The Citizen Lab’s.

Chrome users should only use the latest version available for their device, and are advised to rely on “HTTPS-First Mode,” designed to reduce the attack surface for MITM network injection.

Regardless of device type or OS, everyone should consider deploying a dedicated security solution on their personal devices to defend against the vast array of cyber threats making the rounds today.