After the Pegasus spyware, here is the Predator malware

We knew about Pegasus spyware. There is now another that is talking about him: Predator. The malware is able to infect Android smartphones and iPhone using a simple link transmitted via WhatsApp.

What is happening ?

Investigations carried out by Citizen Lab, a research laboratory affiliated with the University of Toronto, Canada, have uncovered the existence ofa new espionage operation, who targeted at least two Egyptian figures, including Ayman Nour, a politician currently in exile in Turkey after being imprisoned several times.

Citizen Lab findings show that the person and the presenter of a popular news program who wished to remain anonymous were targeted by new malware reminiscent of the highly sulphurous Pegasus, malware designed by the Israeli company NSO Group whose existence is documented as early as 2016, but which received increased attention in 2021.

Ayman Nour, en 2011. // Source : Gigi Ibrahim |

This time it is about a computer program called Predator, a name far more significant in its intentions. As part of the investigation conducted by Citizen Lab, it appears that this malware can spread in recent versions of iOS – at least up to iOS 14.6, a branch that was released in May 2021.

The malware is described as being able to pass from one smartphone to another, via links transmitted by WhatsApp, instant messaging, the advantage of which is ensuring end-to-end encrypted exchanges. That said, there is little that the service can do in the event that an issuer voluntarily or unwittingly broadcasts infected links. This is how NSO attacks were carried out.

« Both targets were hacked with Predator in June 2021 », Comments Citizen Lab. In the case of Ayman Nour, it seems that his profile was of interest to a lot of third parties: his phone was simultaneously infected with Predator and Pegasus spyware. Canadian organization adds that each piece of malware was exploited by two government clients different.

It was almost by chance that Ayman Nour felt that there was a problem with his mobile. Indeed, he found that his phone got a little too hot considering the use he made of it. Obviously: with two spyware that were running in the background to spy on his every move, it had an impact on the phone.

Are there other people affected by Predador?

Citrox Predator
What the attack looks like on WhatsApp: a simple link. // Source: Citizen Lab

This is quite possible, given the number and geographic location of servers linked to this program. Predator may be used by customers located in Egypt, Armenia, Indonesia, Madagascar, Oman, and Saudi Arabia. Closer to us, or also find two European countries: Serbia and Greece. France is not mentioned.

Other countries are also mentioned as part of a report written by Meta, the parent company of Facebook. Some already mentioned by Citizen Lab are repeated, but we also find Colombia, Ivory Coast, Vietnam, the Philippines and Germany. Meta specifies that these are identity clients in these countries: it is not certain that the governments are involved.

What is certain is that other people of interest – human rights activists, political opponents, journalists, public figures – are targeted by similar software, since the Meta document points out the development of an industry of ” pirate for hire », That is to say, technically sophisticated companies that sell hack tools.

The meta works confirm that there has been a targeting of politicians and journalists elsewhere in the world, notably in Armenia. In particular, the possibility that Cytrox has probably provided its services to a mysterious entity, called Sphinx, « which targeted people in Egypt and neighboring countries. »

Who is Cytrox?

In its report, Meta explains that it deleted nearly 300 accounts on Facebook and Instagram linked to Cytrox. Cytrox is the name of the company behind Predator. It is she who has ” designed and sold This computer program. Cytrox is much less well known than NSO Group, at least for now. The company was born in North Macedonia and is said to have offices in Israel and Hungary.

Cytrox is described as a member of a group called Intellexa which would be an alliance of companies wishing to compete with NSO Group in the digital espionage sector. There would be eight partner companies, including Cytrox, Nexa Technologies and WiSpear. Nexa Technologies is not totally an unknown group: it is the new name of the French company Amesys.

According to Gizmodo, Cytrox has been a subsidiary of WiSpear since 2018-2019, a company which is described as a specialist in wireless interception (in this case, the Wi-Fi). WiSpear was founded by Tal Dilian, report our colleagues. He is a former Israeli army officer who presents himself as an intelligence expert and who is also behind Intellexa.

After the Pegasus spyware, here is the Predator malware
NSO Group made a name for itself with the iPhone hack. But Cytrox also has resources in this area, as well as on Android. // Source: Louise Audry for Numerama

Still according to the American media, Intellexa claims to be able to intercept 2G, 3G, 4G and Wi-Fi links (and since then, probably 5G, which was not yet a reality in 2019). Intellexa operates in several countries, with offices in Tel Aviv, Dubai, Jakarta and Paris to provide a ” close geographic support to existing customers of alliance companies. »

Obviously, the acquisition of Cytrox by WiSpear made it possible to complete the variety of services that Intellexa can offer in the field of surveillance and interception. Citizen Labs adds that Cytrox describes itself as ” based in the European Union and regulated, with six sites and R&D laboratories across Europe. »

Beyond Cytrox, Meta has taken action against six other entities accused of carrying out similar operations: Cobwebs Technologies, Cognyte, Black Cube, Bluehack CI, BellTroX and an unknown entity in China. According to the analysis of the teams of the social network, these different companies are based in the United States, Israel, India and China.

How does Cytrox operate?

Cytrox is criticized for having managed a network of domains ” to spoof legitimate news media in countries of interest to them and to mimic real URL shortening and social media services “. Phishing campaigns have also been carried out, in an attempt to steal codes and data by simulating legitimate e-mails.

« Cytrox and its customers have taken steps to tailor their attacks to particular targets by infecting people with malware only if they passed certain technical checks, including IP address and device type. If checks failed, people could be redirected to media or other legitimate sites Adds the report.

Predator 1987
The Predator spyware when it gets put on the phone. Allegory. // Source: Predator

Even more interesting are the behavior of the software and its resilience: ” We obtained samples from Predator’s ‘bootloader’, the first phase of spyware, and analyzed their functionality. We have found that Predator persists after reboot using iOS’s automation feature », indique Citizen Lab.

If the iPhone holds a special place in this story, since it is such a phone that Ayman Nour uses, it would be wrong to assume that the competing operating system, Android, is immune. Its operation shares characteristics with its variation for iOS, but the technical analysis also shows differences… and additional features.

« We couldn’t find any persistence mechanism on Android, nor any values ​​in Android’s configuration file that indicate persistence support. However, we found some additional code in the Android sample, including code to disable SELinux and code for an audio recording component. », Continues the laboratory.

And now ?

Based on the technicalities and the long description provided by the Canadian lab, it can be expected that WhatsApp – which is a subsidiary of Facebook – and Apple to step in to try and arrange for Cytrox’s methods to fail. can no longer be used. In any case, that the paths taken until then be closed for good.

Citizen Lab indicates to have had confirmation from the Cupertino company that it was on the spot. In view of the work carried out by Meta on the ” pirates for hire ”, A maintenance of the WhatsApp instant messaging is also expected. It is not known if any fixes have already been released to the public or if they are still pending.

In light of the revelations made by Citizen Lab and Meta, it is possible that legal developments are emerging against Citrox. At the end of November, we learned of Apple’s decision to sue NSO in court for its activities. To the extent that there is now a precedent, Apple could continue the momentum. The Predator victims too.

Amnesty International spoke Dec. 16 to signal his availability to support activists who fear they have been the target of Predator software or other digital threats targeting them. An email address was shared on this occasion. A verification tool from the NGO’s tech team was made available on GitHub to check his smartphone.

This case, concludes the non-governmental organization, is in any case proof that ” these results are one more reason why global action is needed to prevent further human rights abuses related to these technologies. “. And D’call again at the end illegal targeted surveillance of human rights defenders.

Leave a Comment