Meta removes accounts of spyware company Cytrox after Citizen Lab report on gov't hacks

Citizen Lab did a deep dive into Cytrox's Predator spyware, which was able to infect the 14.6 version of Apple's iOS operating system using single-click links sent via WhatsApp.
Written by Jonathan Greig, Contributor

Citizen Lab has released a new report highlighting widespread government use of the "Predator" spyware from North Macedonian developer Cytrox.

Researchers found that Predator was used to attack two people in June 2021. According to Citizen Lab, the spyware "was able to infect the then-latest version (14.6) of Apple's iOS operating system using single-click links sent via WhatsApp," according to Citizen Lab. 

Citizen Lab senior researcher John Scott-Railton told ZDNet that the report illustrates how the malware may change, but the abuse will continue. 

"Ultimately it's the perfect case study showing that the industry will just keep fueling abuses. And it illustrates why systematic enforcement is so essential," Scott-Railton said. 

The researchers added that Predator persists after reboot using the iOS automations feature. Apple did not respond to requests for comment about the spyware, but Citizen Lab said they have been notified and are investigating the issue. 

Because WhatsApp is involved, Citizen Lab also told Meta about Predator's action. Meta announced it is taking enforcement action against Cytrox and is removing approximately 300 Facebook and Instagram accounts linked to the spyware company. 

The security team at Meta found "an extensive list of lookalike domains used as part of social engineering and malware attacks."

"The Meta report states that they believe Cytrox customers include entities in Egypt, Armenia, Greece, Saudi Arabia, Oman, Colombia, Côte d'Ivoire, Vietnam, Philippines, and Germany and that they identified additional abusive targeting initiated by Cytrox customers around the world," Citizen Lab explained. 

Meta also took down accounts linked to six other cyber-surveillance firms, including Cobwebs Technologies, Cognyte, Black Cube, Bluehawk CI, BellTroX and an unnamed company from China. Meta's report said the companies created more than 1,500 fake accounts that targeted 50,000 users in at least 100 countries.

Exiled Egyptian politician Ayman Nour was one of the two who had devices infected with Predator, and Citizen Lab noted that his phone was also infected with Pegasus, the headline-grabbing spyware from troubled spyware company NSO Group. Citizen Lab said two different governments were spying on Nour at the same time during parts of 2021. 

Citizen Lab's reports about Pegasus and NSO Group have caused international outrage and prompted global conversations about the proliferation of powerful spyware. NSO Group was blacklisted by the US government last month and this week faced calls for even harsher sanctions

Cytrox, according to the report, is part of NSO Group rival Intellexa, which is based in the European Union. The company was purchased in 2018 by Israeli firm WiSpear, Citizen Lab found.

Through scanning for Predator spyware servers, Citizen Lab researchers found "likely" customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.  

"We confirmed the hacking of the devices of two individuals with Cytrox's Predator spyware: Ayman Nour, a member of the Egyptian political opposition living in exile in Turkey, and an Egyptian exiled journalist who hosts a popular news program and wishes to remain anonymous," Citizen Lab explained. 

"Nour first became suspicious after observing that his iPhone was 'running hot.' We learned of Nour's case and reviewed logs from his phone. We attribute the attacks on the two targets to the Egyptian Government with medium-high confidence. We conducted scanning that identified the Egyptian Government as a Cytrox Predator customer, websites used in the hacks of the two targets bore Egyptian themes, and the messages that initiated the hack were sent from Egyptian WhatsApp numbers."

Further investigation into Nour's phone revealed that he had been hacked with Pegasus in March 2021, and there was another attempt to hack his phone in June 2021 using the NSO Group's FORCEDENTRY exploit

"This report is the first investigation to discover Cytrox's mercenary spyware being abused to target civil society. NSO Group has received outsized publicity in recent years, thanks to a growing customer list, spiraling abuse problems, and groundbreaking investigative work by civil society," Citizen Lab said.  

"Cytrox and its Predator spyware, meanwhile, are relatively unknown. The targeting of a single individual with both Pegasus and Predator underscores that the practice of hacking civil society transcends any specific mercenary spyware company. Instead, it is a pattern that we expect will persist as long as autocratic governments are able to obtain sophisticated hacking technology. Absent international and domestic regulations and safeguards, journalists, human rights defenders, and opposition groups will continue to be hacked into the foreseeable future."

Editorial standards