The Predator spyware has been delivered to iPhones and Android devices using iOS and Chrome zero-day vulnerabilities and man-in-the-middle (MitM) attacks, according to Google’s Threat Analysis Group.
Apple last week informed customers about the availability of patches for three zero-days tracked as CVE-2023-41991 (signature verification bypass), CVE-2023-41992 (local privilege escalation), and CVE-2023-41993 (arbitrary code execution via malicious webpage).
Apple fixed the vulnerabilities in iOS, macOS and other software, but the tech giant noted that it’s only aware of exploitation aimed at devices running iOS versions before 16.7.
The University of Toronto’s Citizen Lab group and Google’s Threat Analysis Group, which have been credited for reporting the vulnerabilities to Apple, revealed on Friday that the flaws have been chained in an attack targeting Ahmed Altantawy, a leading opposition politician in Egypt.
What’s interesting about the exploit is that it was delivered through an MitM attack, which are typically launched by threat actors with many resources, such as state-sponsored groups.
In this particular case, Citizen Lab explained, when Altantawy visited certain websites through his Vodafone Egypt mobile data connection, he would get redirected to a site set up to serve the Predator spyware, which has been attributed to two related entities named Cytrox and Intellexa. Cytrox is known for its high-end iPhone implants.
The Egyptian lawmaker was redirected to the sites serving the spyware only when visiting websites that used HTTP rather than HTTPS. This allowed the attacker to intercept the victim’s traffic and force a redirect to the malicious website.
“While there’s a spotlight on ‘0-click’ vulnerabilities (bugs that don’t require user interaction) this MITM delivery also didn’t require the user to open any documents, click a specific link, or answer any phone calls,” Google explained.
It’s not uncommon for totalitarian and authoritarian regimes to conduct surveillance and traffic manipulation at the ISP level using traffic management middleboxes.
In this case, Citizen Lab said, the attacker used an injection middlebox, but the organization was unable to determine whether the middlebox was on Telecom Egypt or Vodafone Egypt’s network.
“However, we suspect that it is within Vodafone Egypt’s network, because precisely targeting injection at an individual Vodafone subscriber would require integration with Vodafone’s subscriber database,” Citizen Lab said.
Egypt is a known customer of the Predator spyware, which means it’s highly unlikely that the operation targeting the opposition leader was conducted without the knowledge of Egyptian authorities, Citizen Lab noted.
Google also reported seeing an exploit chain designed to install the Predator spyware on Android devices in Egypt. Its researchers were unable to identify every vulnerability involved in this chain, but they did confirm that it leveraged CVE-2023-4762 for remote code execution.
CVE-2023-4762 is a Chrome vulnerability that was patched by Google with an update released in early September. At the time, the company had not been aware of in-the-wild exploitation, but believes that the vulnerability was exploited as a zero-day before the fix was released.
The Android exploit chain was delivered not only through MitM attacks, but also via malicious links sent directly to the target in SMS and WhatsApp messages.
In addition to patching the vulnerability, Google noted that the Chrome browser has a feature called HTTP-First mode, which attempts to automatically upgrade webpages to HTTPS.