‘Predator’ Spyware for iPhones Uncovered by Toronto Researchers

Citizen Lab, a cyber research arm of the University of Toronto, on Thursday published a detailed analysis of ‘Predator’ — a piece of spyware similar to Israeli cyber intelligence firm NSO Group’s infamous ‘Pegasus’, which can hack and harvest data from iPhones.

Predator is developed and distributed by a previously little-known mercenary spyware development firm called Cytrox. This company is reportedly part of Intellexa, a so-called “Star Alliance of spyware,” that was established to compete with NSO Group, and which says it is “EU-based and regulated, with six sites and R&D labs throughout Europe.”

Like Pegasus, Predator is designed to access, take over, and extract sensitive information from an iPhone without the user ever knowing

The researchers over at Citizen Lab found Predator installed on two Egyptians’ iPhones — one belonged to exiled politician Ayman Nour, and the other to the host of a popular news program who chose to remain anonymous.

Both devices were infected by Predator in June 2021. The spyware successfully broke through the defences of iOS 14.6, the latest publicly available iteration of iOS at the time, and was installed after each user clicked on a link sent to them over WhatsApp.

According to Citizen Lab‘s research, Predator persists even after the infected device is restarted. Further digging also revealed probable Predator customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Interestingly, Ayman Nour’s iPhone was infected not only with Cytrox’s Predator but with NSO Group’s Pegasus spyware as well. While the two even ran simultaneously on her phone, each was being operated by a different government client.

Pegasus has a vibrant history of being used by government and intelligence agencies to target and spy on minorities, political activists, what have you, and it looks like Predator will serve a similar clientele.

Once installed, Predator is just as dangerous as Pegasus. But unlike Pegasus, Predator does not appear to be able to take advantage of a zero-click exploit (not yet, at least). A zero-click exploit allows perpetrators to install spyware on a target device without the user ever having to open any texts or click on any links.