Thursday’s newly disclosed vulnerabilities in iOS were used to install spyware on an iPhone belonging to an Egyptian politician running for president, according to security researchers.
The findings come from spyware watchdog group Citizen Lab, which worked with Google to report the vulnerabilities to Apple earlier this month. On Thursday, Apple rushed out an emergency patch to protect iPhone, iPads, and Macs from the threat.
Citizen Lab says it discovered the vulnerabilities after the Egyptian presidential candidate Ahmed Eltantawy reached out to the organization over suspicions that his iPhone had been compromised. “Our forensic analysis showed numerous attempts to target Eltantawy with Cytrox’s Predator spyware,” Citizen Lab said in the report.
Cytrox is an Israeli-Hungarian cyber arms dealer that sells to foreign governments. The company’s “Predator” spyware was previously documented infecting devices belonging to two exiled Egyptians, along with other targets, including an employee at Facebook’s parent Meta.
In Eltantawy’s case, the attack leveraged three iOS vulnerabilities to secretly install Cytrox’s Predator spyware. Exploiting the vulnerabilities can allow a hacker to booby-trap a website to trigger rogue computer code on an iPhone, elevate their hacking privileges on iOS, and also bypass Apple’s security system to check if an installed app is legitimate or not. The result paves the way for a zero-click attack, requiring no user interaction. Hence, Citizen Lab is urging all iPhone users to patch their devices.
But perhaps the most disturbing finding is how Eltantawy’s own cellular provider played a role in installing the spyware on his phone. Vodafone Egypt forwarded his iPhone’s browser to malicious websites designed to load the Predator payload.
“In August and September 2023, when Eltantawy visited certain websites without HTTPS from his phone, using his Vodafone Egypt mobile data connection, he was silently redirected to a website (c.betly[.]me) via network injection,” Citizen Lab noted.
Google’s own report adds if the malicious c.betly[.]me domain detected that the visitor was the right target, it would then send the user to another site that proceeded to exploit the iOS vulnerabilities to hijack the iPhone.
(Credit: Citizen Lab)Vodafone didn’t immediately respond to a request for comment. But the carrier’s suspected involvement is causing Citizen Lab to conclude the Egyptian government itself is behind the spyware attack.
“Given that Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government with high confidence,” the group added.
To further hack Eltantawy’s iPhone, the attackers also relied on phishing messages. Citizen Lab notes several SMS texts from September 2021, and then March and September of this year were sent to his device while pretending to come from WhatsApp. “In reality, clicking the links [in the messages] would likely have infected Eltantawy’s phone with Cytrox’s Predator spyware,” Citizen Lab says.
Another batch of messages likely carrying links to the Predator spyware also arrived via the real WhatsApp service back in June and July. In this case, the messages came from someone named “Angie Raouf,” who claimed to work at the International Federation for Human Rights.
Cytrox doesn’t have a public website, so PCMag was not able to reach out to the company for comment. Back in July, the Biden administration placed the Cytrox, along with its sister firm, Intellexa, on a US export control blacklist, which is designed to block American companies from conducting business with them.
But despite the blacklisting, it looks like Cytrox is still active. Citizen Lab added: "The use of mercenary spyware to target a senior member of a country’s democratic opposition after they had announced their intention to run for president is a clear interference in free and fair elections."