Security Experts:

European Lawmaker Targeted With Cytrox Predator Surveillance Spyware

A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.

The company, called Cytrox, was previously exposed as the makers of Predator, a tool capable of launching sophisticated exploits on Apple’s iOS-powered devices. Now, according to published reports out of Greece, the surveillance tool has been linked to an attempted hack of a phone belonging to Nikos Androulakis, a member of the European Parliament.

Androulakis, who is head of the Greek socialist party, said he received a text message on his mobile phone that read "Let's get a little serious about this, my friend, we have something to win” and contained a malicious URL capable of infecting the phone from a single click.

Androulakis did not click on the link and the attempted hack was only discovered after the European Parliament started checking lawmakers' devices for signs of infections from high-end surveillance spyware.

[ READ: Can 'Lockdown Mode' Solve Apple's Mercenary Spyware Problem? ]

Israel’s NSO Group, which markets Pegasus hacking tools, is in the midst of a global controversy that includes major corporate lawsuits and crippling sanctions from the U.S. government.

The University of Toronto’s Citizen Lab recently teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.

In a detailed technical report, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians. The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.  

In one case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs -- managed by two different government APT actors -- running on the device.  Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.

[ READ: Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware ]

A separate advisory issued by Meta’s security team listed Cytrox alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.

These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.

The discovery of these spyware vendors has forced Apple into a cat-and-mouse game of rolling out mitigations and patches for flaws exploited as zero-day by these exploit brokers.

Earlier this month, Apple announced plans to add a new 'Lockdown Mode' that significantly reduces attack surface and adds technical roadblocks to limit sophisticated software exploits.

According to Apple, the new Lockdown Mode will be an extreme, optional OS version for a tiny percentage of its users who are targeted with sophisticated exploits capable of silently infecting iPhones without the user clicking on malicious links or surfing to rigged websites.

Related: Citizen Lab Exposes Cytrox as Vendor Behind 'Predator' iPhone Spyware

Related: Pegasus Zero-Click 'Most Technically Sophisticated Exploit Ever Seen'

Related: Apple Adds 'Lockdown Mode' to Thwart .Gov Mercenary Spyware

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: US Puts New Controls on Israeli Spyware Company NSO Group

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.