Dangerous New ‘Predator’ iPhone Spyware Uncovered by Citizen Lab

Although NSO Group’s Pegasus spyware has been getting most of the attention lately, it’s far from the only big threat out there, as cyber researchers at the University of Toronto’s Citizen Lab have recently discovered.

NSO Group, the Israeli firm behind Pegasus, recently found itself the target of legal action by Apple in an effort to shut down its ability to conduct attacks against iPhone users. Apple has even gone so far as to notify folks it believes may have been targeted by state-sponsored spyware like Pegasus, leading to some interesting revelations about how pervasive and insidious this spyware is.

It’s important to keep in mind, however, that just because Pegasus is getting all the attention, it doesn’t mean that there aren’t other state-sponsored spyware tools that aren’t just as bad — or possibly even worse.

In fact, new research by Citizen Lab shows that not only is there at least one other notably big threat out there — another piece of spyware known as “Predator” — but that some iPhones have actually found themselves “doubly infected” by versions of Pegasus and Predator deployed by different government agencies.

In a new research report released yesterday, Citizen Lab researchers shared their discovery of the new Predator spyware, first found on two iPhones belonging to two Egyptian dissidents.

The most prominent of these was Ayman Nour, a politician who had the temerity to try to run for election against the incumbent Egyptian President in 2005. Nour spent four years in prison on questionable charges, and was later forced into exile in 2013. He’s now living in Turkey, where he remains a vocal critic of what he describes as Egypt’s “oppressive military regime.”

Eight years later, however, it seems that Nour is still being watched, as Citizen Lab found that he had both Pegasus and Predator on his iPhone — operated by two different government clients.

According to the Citizen Lab report, both Nour and another Egyptian — an exiled journalist who has requested anonymity — were hacked with Predator in June 2021. Both were running iOS 14.6, which was the latest publicly available release at the time. The spyware was delivered via single-click links sent through WhatsApp.

The Predator spyware is built and sold by Cytrox, a small mercenary spyware developer that few people have even heard of. It’s reportedly part of the Intellexa alliance, which has been described as a “one-stop-shop” for government spyware. Intellexa is considered to be NSO Group’s main competitor, and describes itself as “EU-based and regulated, with six sites and R&D labs throughout Europe.”

Cytrox came into existence in North Macedonia in 2017, although it appears to have since expanded into Israel and Hungary, where Citizen Lab reports that it operates under different names to obscure its connections.

After scanning for Predator spyware servers, Citizen Lab found likely customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Pegasus and Predator Living in Harmony

Researchers managed to obtain logs from Nour’s iPhone that indicated that on June 22, 2021, both Pegasus and Predator were running simultaneously.

“The phone logs indicate that the device was infected with Pegasus on June 22 at 13:26 GMT. A number of Library/SMS/Attachments folders were created between 13:17 and 13:21, and there were no entries whatsoever in the Attachments table of the sms.db file for June 22, suggesting that a zero-click exploit may have been the vector for Pegasus installation. Approximately an hour later, a Predator link sent to Nour on WhatsApp was opened in Safari at 14:33 GMT on the same day and Predator was installed on the device two minutes later at 14:35 GMT.”

The only piece of good news here is that it doesn’t appear that Predator can take advantage of a zero-click exploit — at least not yet. Both targets were sent links through WhatsApp, which they presumably tapped on to open in Safari.

The report doesn’t specify where the link to Nour was coming from, but notes that the other target — described as “an Egyptian journalist living in exile who is the host of a popular news program” — was duped into believing that they were receiving something from an Assistant Editor at the Al Masry Al Youm newspaper.

In Nour’s case, an Egyptian number on WhatsApp purporting to be a “Dr. Rania Shhab,” sent four separate links to disguised Predator-controlled domains as images containing URLs. The text in the images appears to contain headlines that would likely have encouraged Nour to click on them. For example, one such headline read, “Turkey asks the Egyptian opposition channels to stop criticizing Egypt, and Cairo comments on the move.”

The other target — described as “an Egyptian journalist living in exile who is the host of a popular news program” — was duped into believing that they were receiving something from an Assistant Editor at the Al Masry Al Youm newspaper.

So far, Predator appears to be considerably less sophisticated than Pegasus. Not only does a target need to click on a link to become infected by it, but it also relies on the iOS Shortcuts app to persist after a reboot.

Citizen Lab found that the loader downloads and installs an iOS shortcuts automation that triggers when specific apps are opened, including Apple’s built-in App Store, Camera, Mail, Maps, and Safari, plus third-party apps like Twitter, Instagram, Facebook Messenger, LinkedIn, Skype, Snapchat, Viber, Wire, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.

Interestingly, the persistent payload is referred to internally as “Nahum,” which is the name of a minor biblical prophet in Jewish and Christian tradition who foretold the destruction of the powerful fortress city of Ninevah.

Predator also downloads an iOS profile that’s specifically designed to disable notifications globally when a Shortcut runs, allowing Predator to reload itself without the user being aware of it.

Of course, since Predator relies on a shortcut, it’s not particularly well hidden. It would be fairly easy to spot with a quick trip into the Shortcuts app, although it’s probably safe to say that many iPhone users don’t even know the Shortcuts app exists, much less have any idea of what to do with it.

The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology. Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future.Citizen Lab

Are Governments Switching to Predator?

The Citizen Lab report shares another interesting tidbit that shows how shutting down NSO Group and Pegasus isn’t going to solve the larger problem of state-backed spyware.

Researchers discovered that an IP address in Saudi Arabia began matching the Predator fingerprints near the end of July, suggesting that Cytrox had gained a new customer. It’s probably not a coincidence that this occurred just after NSO Group had reportedly terminated its relationship with the Saudi government following Citizen Lab’s late 2020 discovery that it had been using Pegasus to spy on Al Jazeera journalists.

Dealing with Cytrox and Predator

Citizen Lab notes that it’s shared all of its findings with Apple, which had confirmed that it’s investigating the situation.

Since WhatsApp was also used to deliver the Predator payloads, Citizen Lab also shared the details with Meta (née Facebook), which has announced that it will be taking enforcement action against Cytrox, including the removal of approximately 300 Facebook and Instagram accounts linked to the company.