Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

European Lawmaker Targeted With Cytrox Predator Surveillance Spyware

A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.

A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.

The company, called Cytrox, was previously exposed as the makers of Predator, a tool capable of launching sophisticated exploits on Apple’s iOS-powered devices. Now, according to published reports out of Greece, the surveillance tool has been linked to an attempted hack of a phone belonging to Nikos Androulakis, a member of the European Parliament.

Androulakis, who is head of the Greek socialist party, said he received a text message on his mobile phone that read “Let’s get a little serious about this, my friend, we have something to win” and contained a malicious URL capable of infecting the phone from a single click.

Androulakis did not click on the link and the attempted hack was only discovered after the European Parliament started checking lawmakers’ devices for signs of infections from high-end surveillance spyware.

[ READ: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem? ]

Israel’s NSO Group, which markets Pegasus hacking tools, is in the midst of a global controversy that includes major corporate lawsuits and crippling sanctions from the U.S. government.

The University of Toronto’s Citizen Lab recently teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.

In a detailed technical report, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians. The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.  

Advertisement. Scroll to continue reading.

In one case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs — managed by two different government APT actors — running on the device.  Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.

[ READ: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware ]

A separate advisory issued by Meta’s security team listed Cytrox alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.

These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.

The discovery of these spyware vendors has forced Apple into a cat-and-mouse game of rolling out mitigations and patches for flaws exploited as zero-day by these exploit brokers.

Earlier this month, Apple announced plans to add a new ‘Lockdown Mode’ that significantly reduces attack surface and adds technical roadblocks to limit sophisticated software exploits.

According to Apple, the new Lockdown Mode will be an extreme, optional OS version for a tiny percentage of its users who are targeted with sophisticated exploits capable of silently infecting iPhones without the user clicking on malicious links or surfing to rigged websites.

Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

Related: Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: US Puts New Controls on Israeli Spyware Company NSO Group

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...