Citizen Lab and Google’s Threat Analysis Group have discovered an iPhone exploit chain designed to install Predator spyware on iOS versions through 16.6.1. This suggests that the spyware made use of a never-before-seen exploit in the iPhone’s software to infect the phones.
Consequently, Citizen Lab contacted Apple about the exploit. In response, Apple released an update that patched the bugs in iOS 16.7 and iOS 17.0.1. Therefore, iOS users are encouraged to update their iPhones to protect themselves from the Predator Spyware.
The spyware was discovered by Maddie Stone a Security Researcher at Google’s Threat Analysis Group (TAG) and Bill Marczak, a Senior researcher at Citizen Lab. Predator spyware can access a phone’s cameras and microphone and can export the phone’s data.
However, it is not a zero-click spyware. Hence, it requires a user to click on it to infect a device.
Not the First Predator Discovery
Notably, this is not the first time the Predator spyware has been discovered on iPhones. In 2021, Citizen Lab found the spyware developed by Cytrox had infected iPhones belonging to two Egyptian politicians. Moreover, it is another spyware infiltrating iPhones discovered in recent weeks.
In early September, Citizen Lab discovered the Pegasus spyware that was able to exploit all Apple devices. This prompted Apple to rush out operating system updates for iPhones, iPads, Mac computers, and Apple Watches to patch the associated vulnerabilities.
Predator Targeting Egyptian Politician
This is a case of surveillance-for-hire outfits deploying an exploit to steal information from a victim’s iPhone. A leading Egyptian opposition politician Ahmed Eltantawy approached Citizen Lab after he suspected he was a target.
Upon, performing forensic analysis it emerged he was targeted with spyware several times. The attacks began soon after he declared his candidacy in the 2024 Egyptian presidential race. The Egyptian government is known to deploy surveillance spyware. As mentioned before, an earlier version of Predator was discovered on Egyptian politician’s iPhones.
According to the Citizen Lab blog, in August and September 2023, Eltantawy visited websites not using HTTPS. When this happened, he was automatically redirected to a malicious website to infect his phone with the Cytrox’s spyware.
“The spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government” wrote Citizen Lab.
Visiting a website using ‘HTTP’ can allow an attacker to intercept user traffic and send malicious data that forces a user to a different website.
Further, in what was a Smishing attack, Eltantawy received several SMS messages in May 2023 and September 2023 that posed as messages originating from WhatsApp. He was prompted by the malicious text to click on a Link. In November 2021, the politician’s phone was infected with Cytrox’s Predator spyware. This was via a text message containing a link to a Predator website.
When he got the messages with links this year Eltantawy did not engage with these suspect links.
As a digital native, always be aware of Smishing attacks and avoid sites that do not have HTTPS encryption for secure communication over a computer network.
