Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

European Lawmaker Targeted With Cytrox Predator Surveillance Spyware

A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.

A security audit by the European Parliament has unearthed attempts to plant high-end surveillance software on the phone of a Greek lawmaker and there are fresh reports linking the hack attempt to a known North Macedonia spyware vendor.

The company, called Cytrox, was previously exposed as the makers of Predator, a tool capable of launching sophisticated exploits on Apple’s iOS-powered devices. Now, according to published reports out of Greece, the surveillance tool has been linked to an attempted hack of a phone belonging to Nikos Androulakis, a member of the European Parliament.

Androulakis, who is head of the Greek socialist party, said he received a text message on his mobile phone that read “Let’s get a little serious about this, my friend, we have something to win” and contained a malicious URL capable of infecting the phone from a single click.

Androulakis did not click on the link and the attempted hack was only discovered after the European Parliament started checking lawmakers’ devices for signs of infections from high-end surveillance spyware.

[ READ: Can ‘Lockdown Mode’ Solve Apple’s Mercenary Spyware Problem? ]

Israel’s NSO Group, which markets Pegasus hacking tools, is in the midst of a global controversy that includes major corporate lawsuits and crippling sanctions from the U.S. government.

The University of Toronto’s Citizen Lab recently teamed up with the threat-intel team at Facebook parent company Meta to expose Cytrox alongside a handful of PSOAs (private sector offensive actors) in the murky surveillance-for-hire industry.

In a detailed technical report, Citizen Lab said Cytrox is responsible for a piece of iPhone eavesdropping malware that was planted on phones belonging to two notable Egyptians. The malware, called Predator, was able to infect the then-latest iOS version (14.6) using single-click links sent via WhatsApp.  

In one case, exiled Egyptian politician Ayman Nour was spooked by his iPhone overheating and eventually found evidence of two different spyware programs — managed by two different government APT actors — running on the device.  Citizen Lab has attributed this attack to the Egyptian government, which is a known Cytrox customer.

[ READ: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware ]

A separate advisory issued by Meta’s security team listed Cytrox alongside Cobwebs Technologies, Cognate, Black Cupe, Bluehawk CI, BellTroX and two unknown Chinese entities among a growing roster of private companies in the surveillance-for-hire business.

These companies manage the reconnaissance, engagement and exploitation phases of advanced malware campaigns for governments and law enforcement agencies around the world, including some governments that aim these exploits at journalists, politicians and members of civil society.

The discovery of these spyware vendors has forced Apple into a cat-and-mouse game of rolling out mitigations and patches for flaws exploited as zero-day by these exploit brokers.

Earlier this month, Apple announced plans to add a new ‘Lockdown Mode’ that significantly reduces attack surface and adds technical roadblocks to limit sophisticated software exploits.

According to Apple, the new Lockdown Mode will be an extreme, optional OS version for a tiny percentage of its users who are targeted with sophisticated exploits capable of silently infecting iPhones without the user clicking on malicious links or surfing to rigged websites.

Related: Citizen Lab Exposes Cytrox as Vendor Behind ‘Predator’ iPhone Spyware

Related: Pegasus Zero-Click ‘Most Technically Sophisticated Exploit Ever Seen’

Related: Apple Adds ‘Lockdown Mode’ to Thwart .Gov Mercenary Spyware

Related: Apple Slaps Lawsuit on NSO Group Over Pegasus iOS Exploitation

Related: US Puts New Controls on Israeli Spyware Company NSO Group

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Nation-State

The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.