iOS Exploits Traced to Israeli 'Predator' Spyware Used on Egyptian Politician
22.09.2023 - 20:53
/ pcmag.com
/ Ios
Thursday’s newly disclosed vulnerabilities in iOS were used to install spyware on an iPhone belonging to an Egyptian politician running for president, according to security researchers.
The findings come from spyware watchdog group Citizen Lab, which worked with Google to report the vulnerabilities to Apple earlier this month. On Thursday, Apple rushed out an emergency patch to protect iPhone, iPads, and Macs from the threat.
Citizen Lab says it discovered the vulnerabilities after the Egyptian presidential candidate Ahmed Eltantawy reached out to the organization over suspicions that his iPhone had been compromised. “Our forensic analysis showed numerous attempts to target Eltantawy with Cytrox’s Predator spyware,” Citizen Lab said in the report.
Cytrox is an Israeli-Hungarian cyber arms dealer that sells to foreign governments. The company’s “Predator” spyware was previously documented infecting devices belonging to two exiled Egyptians, along with other targets, including an employee at Facebook’s parent Meta.
In Eltantawy’s case, the attack leveraged three iOS vulnerabilities to secretly install Cytrox’s Predator spyware. Exploiting the vulnerabilities can allow a hacker to booby-trap a website to trigger rogue computer code on an iPhone, elevate their hacking privileges on iOS, and also bypass Apple’s security system to check if an installed app is legitimate or not. The result paves the way for a zero-click attack, requiring no user interaction. Hence, Citizen Lab is urging all iPhone users to patch their devices.
But perhaps the most disturbing finding is how Eltantawy’s own cellular provider played a role in installing the spyware on his phone. Vodafone Egypt forwarded his iPhone’s browser to malicious websites designed to load the Predator payload.
“In August and September 2023, when Eltantawy visited certain websites without HTTPS from his phone, using his Vodafone Egypt mobile data connection, he was silently redirected to a website (c.betly[.]me) via network injection,” Citizen Lab noted.
Google’s own report adds if the malicious c.betly[.]me domain detected that the visitor was the right target, it would then send the user to another site that proceeded to exploit the iOS vulnerabilities to hijack the iPhone.
Vodafone didn’t immediately respond to a request for comment. But the carrier’s suspected involvement is causing Citizen Lab to conclude the Egyptian government itself is behind the spyware attack.
“Given that Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government with high confidence,” the group added.
To