Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

The University of Toronto’s Citizen Lab has discovered another player in the private sector mobile spyware business, fingering a tiny North Macedonia company called Cytrox as the makers of high-end iPhone implants.

The University of Toronto’s Citizen Lab has discovered another player in the private sector mobile spyware business, fingering a tiny North Macedonia company called Cytrox as the makers of high-end iPhone implants.

Citizen Lab teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.

In a detailed technical report published late Thursday, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians.  

The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.  

In one eyebrow-raising case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs — managed by two different government APT actors — running on the device.  Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.

 [ READ: Google: Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’ ]

Citizen Lab said Nour’s phone was infected with both Cytrox’s Predator and the more well-known Pegasus spyware sold to governments by Israeli vendor NSO Group.

In its exposé, Citizen Lab documented the corporate history of Cytrox as a startup founded in 2017 by Ivo Malinkovksi, a North Macedonia man who merged the company with Intellexa and publicly hawked digital forensics tools.  The company claims it is based in the European Union with R&D labs and sites throughout Europe.

In a separate advisory issued by Meta’s security team, Cytrox is listed alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.

These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.

[ READ: Meta Targets ‘Cyber Mercenaries’ Using Facebook to Spy ]

Facebook’s team said it nuked 300 accounts used by Cytrox and identified the company as one that “develops exploits and sells surveillance tools and malware that enable its clients to compromise iOS and Android devices.”

“[We were] able to find a vast domain infrastructure that we believe Cytrox used to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media service,” Facebook’s security team said.

“They used these domains as part of their phishing and compromise campaigns. Cytrox and its customers took steps to tailor their attacks for particular targets by only infecting people with malware when they passed certain technical checks, including IP address and device type. If the checks failed, people could be redirected to legitimate news or other websites,” the company added.

“Targets of Cytrox and its customers included politicians and journalists around the world, including in Egypt and Armenia.”

The full Citizen Lab paper is available here.  The full Meta (Facebook) announcement includes indicators of compromise data and is available here.

Related: NSO Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

Related: Meta Targets ‘Cyber Mercenaries’ Using Facebook to Spy

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: US Puts New Controls on Israeli Spyware Company NSO Group

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.