Pegasus isn’t all you have to worry about: Meet Cytrox’s spyware, Predator
A new spyware is in town
What is Cytrox?
Cytrox started as a North Macedonian startup, but documents reviewed by Citizen Lab suggest it has a presence in Israel and Hungary. Its description onCrunchbasesays it provides “governments with an operational cyber solution” — quite vague.
The company is reportedly a part of Intexella — an alliance that wants to compete with the NSO Group.
The firm’s founder, Tal Dillian, has been involved witha number of operations that provide surveillance software.
Cytrox offers its own Pegasus rival called Predator (who’s making thatAlien v Predatorposter?) that spies on the victim’s phone. The firm also offers some products toSphinx, a cyber espionage campaign targeting people located in Egypt and surrounding countries.
What did Citizen Lab find out about the Predator spyware?
An investigation by the Canada-based research firm revealed two Egyptian citizens were targets of Predator: Ayman Nour, the leader of an opposition party in the country, and an unnamed exiled journalist, who’s an anchor on a popular news show.
Notably, the spyware works on both Android and iOS. But the targets were hacked by a bug present in iOS 14.6 in June. We’ve asked Apple if the vulnerability has been fixed, and we’ll update the story if we hear back.
Attackers hacked these phones by sending innocuous-looking links on WhatsApp; these required just a single click to activate the spyware in question.Nour suspected that he had been a victim of a spyware attack when he noticed his phone was running too hot. Plus, the investigation revealed that in a one-of-a-kind case, his phone was attacked by both Predator and Pegasus.
An image accompanying a Cytrox Predator link sent to Nour purports to be a link to the legitimate website of the Al Masry Al Youm newspaper. The actual link goes to a fake lookalike domain, almasryelyuom[.]com. (Credit: Citizen Lab)Researchers found out two commands running on iPhones that had references to “distedc[.]com.” They ran a Censys fingerprint — a service to trace the origins of a server — that pointed towards IP addresses belonging to Cytrox.
Citizen Lab’s investigation points towards additional domains observed in the Predator spyware attack. You can find the full list of associated domains — used for phishing or comprise attacks — inthis GitHub file.
One of the most important aspects of spyware is that it can survive the rebooting of an iPhone, a process that can clear most spyware from its memory.
In the Android payload, researchers found several references to audio recording components that can log your conversations.
They also listed the governments that might be Cytrox’s clients: Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.
You can read more about Citizen Lab’s investigationhere.
What is Meta doing?
Meta released a new report on hack-for-hire operations. The company said it has kicked out 300 accounts related to Cytrox from Facebook and Instagram.
In its investigations, the social network noted that Cytrox used a network of domains “to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media services.“
Meta has also blocked the accounts of six other hack-for-hire entities based in the US, India, Israel, and China.
You can read Meta’s full reporthere.
Here, there, spyware everywhere
Amnesty International, an organization focusing on human rights, said it’swilling to help outany activist who thinks they’ve been targeted. It also publisheda GitHub libraryof indicators that could help researchers in finding Predator spyware on phones.
After the report was published, Motherboard reporterLorenzo Franceschi-Bicchieraireached out to Cytrox’s CEO and founder, Ivo Malinkovski. Hours later, he removedall references to the companyfrom his profile — except one seen in the picture below.
This investigation has emerged in the same week when reports ofthe NSO Group shutting down Pegasushave surfaced. It suggests that while we’ve known a lot about Pegasus, there are other spyware companies out there that might be operating silently. It’s not over yet.
Story byIvan Mehta
Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.“Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That’s one heck of a mixed bag. He likes to say “Bleh.”
Get the TNW newsletter
Get the most important tech news in your inbox each week.
