The Canadian Citizen Lab has published the first details on a new spyware from a largely unknown competitor of the NSO Group. The spy software called “Predator” was found on the devices of two Egyptians in exile – the politician Aiman Nur and an unnamed “spokesman for a popular news program”. The politician’s iPhone was infected with Predator and the spy software Pegasus from competitor NSO Group at the same time.
Overheated smartphone with double spyware
He only got suspicious because his iPhone “overheated”, on which the latest version iOS 14.6 was installed at the time, explain the security researchers. Predator was probably installed via a manipulated website – after clicking a link sent via WhatsApp.
The Predator “loader” delete all log files on the device after installation and then reload additional components from a server. In addition, the spyware apparently tries to use the automation functions of the operating system in order, for example, to always reinstall itself after a restart: Via an automation in Apple’s shortcut app, a URL is called when opening common apps, which then apparently again to compromise the device via a Citizen Lab explains.
Notifications about the execution of the automation would be suppressed with a configuration profile. How the spyware bypasses further security precautions in Apple’s shortcut app remains unclear. In addition to an iOS version, Predator is also available in a variant for Android, but there is no mechanism for persistence here, according to the security researchers.
Spyware problem extends beyond individual providers
Predator is being developed by the still largely unknown company Cytrox, which is based in Israel and Hungary and is reportedly part of Intellexa. The association describes itself as “EU-based and regulated” and wants to compete with the NSO Group, as Citizen Lab explains.
The security researchers speculate that state actors in Egypt are behind the attacks. Such attacks on civil society make it clear that the problem goes well beyond a single spyware provider – without international and local regulation and security measures, such attacks on human rights defenders, opposition activists and journalists would continue unhindered.