The University of Toronto’s Citizen Lab has discovered another player in the private sector mobile spyware business, fingering a tiny North Macedonia company called Cytrox as the makers of high-end iPhone implants.
Citizen Lab teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.
In a detailed technical report published late Thursday, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians.
The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.
In one eyebrow-raising case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs — managed by two different government APT actors — running on the device. Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.
Citizen Lab said Nour’s phone was infected with both Cytrox’s Predator and the more well-known Pegasus spyware sold to governments by Israeli vendor NSO Group.
In its exposé, Citizen Lab documented the corporate history of Cytrox as a startup founded in 2017 by Ivo Malinkovksi, a North Macedonia man who merged the company with Intellexa and publicly hawked digital forensics tools. The company claims it is based in the European Union with R&D labs and sites throughout Europe.
In a separate advisory issued by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.
These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.
Facebook’s team said it nuked 300 accounts used by Cytrox and identified the company as one that “develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices.”
“[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service,” Facebook’s security team said.
“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites,” the company added.
“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”