Connect with us

Hi, what are you looking for?


Mobile & Wireless

Predator Spyware Delivered to iOS, Android Devices via Zero-Days, MitM Attacks

Predator spyware delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and MitM attacks. 

iOS malware

The Predator spyware has been delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and man-in-the-middle (MitM) attacks, according to Google’s Threat Analysis Group.

Apple last week informed customers about the availability of patches for three zero-days tracked as CVE-2023-41991 (signature verification bypass), CVE-2023-41992 (local privilege escalation), and CVE-2023-41993 (arbitrary code execution via malicious webpage).

Apple fixed the vulnerabilities in iOS, macOS and other software, but the tech giant noted that it’s only aware of exploitation aimed at devices running iOS versions before 16.7. 

The University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, which have been credited for reporting the vulnerabilities to Apple, revealed on Friday that the flaws have been chained in an attack targeting Ahmed Altantawy, a leading opposition politician in Egypt.

What’s interesting about the exploit is that it was delivered through an MitM attack, which are typically launched by threat actors with many resources, such as state-sponsored groups. 

In this particular case, Citizen Lab explained, when Altantawy visited certain websites through his Vodafone Egypt mobile data connection, he would get redirected to a site set up to serve the Predator spyware, which has been attributed to two related entities named Cytrox and Intellexa. Cytrox is known for its high-end iPhone implants. 

The Egyptian lawmaker was redirected to the sites serving the spyware only when visiting websites that used HTTP rather than HTTPS. This allowed the attacker to intercept the victim’s traffic and force a redirect to the malicious website. 

“While there’s a spotlight on ‘0-click’ vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls,” Google explained.

Advertisement. Scroll to continue reading.

It’s not uncommon for totalitarian and authoritarian regimes to conduct surveillance and traffic manipulation at the ISP level using traffic management middleboxes. 

In this case, Citizen Lab said, the attacker used an injection middlebox, but the organization was unable to determine whether the middlebox was on Telecom Egypt or Vodafone Egypt’s network.

“However, we suspect that it is within Vodafone Egypt’s network, because precisely targeting injection at an individual Vodafone subscriber would require integration with Vodafone’s subscriber database,” Citizen Lab said. 

Egypt is a known customer of the Predator spyware, which means it’s highly unlikely that the operation targeting the opposition leader was conducted without the knowledge of Egyptian authorities, Citizen Lab noted. 

Google also reported seeing an exploit chain designed to install the Predator spyware on Android devices in Egypt. Its researchers were unable to identify every vulnerability involved in this chain, but they did confirm that it leveraged CVE-2023-4762 for remote code execution. 

CVE-2023-4762 is a Chrome vulnerability that was patched by Google with an update released in early September. At the time, the company had not been aware of in-the-wild exploitation, but believes that the vulnerability was exploited as a zero-day before the fix was released.

The Android exploit chain was delivered not only through MitM attacks, but also via malicious links sent directly to the target in SMS and WhatsApp messages.

In addition to patching the vulnerability, Google noted that the Chrome browser has a feature called HTTP-First mode, which attempts to automatically upgrade webpages to HTTPS. 

Related: Leaked Docs Show Spyware Firm Offering iOS, Android Hacking Services for $8 Million

Related: US Gov Mercenary Spyware Clampdown Hits Cytrox, Intellexa

Related: Spyware Find Highlights Depth of Hacker-for-Hire Industry

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.