A leading Egyptian opposition politician was targeted with the Predator malware developed by mercenary spyware firm Citrox using an iPhone exploit chain involving three recently disclosed zero-day vulnerabilities.
The three zero-days are CVE-2023-41991 (a signature validation process bypass issue in the Security framework), CVE-2023-41992 (a privilege escalation vulnerability in Kernel that could allow a local attacker to elevate privileges), CVE-2023-41993 (a WebKit flaw that could result in arbitrary code execution when processing specially crafted web content). The flaws were addressed last week with the release of iOS, iPadOS, macOS, watchOS, and Safari security updates.
Researchers at the Citizen Lab at the University of Toronto's Munk School said in a new report that the iPhone exploit chain has been leveraged as part of an attack aiming to install the Predator spyware on an iPhone belonging to former Egyptian member of parliament Ahmed Eltantawy. The targeting occurred between May and September 2023 after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections.
A joint investigation conducted by Citizen Lab and Google’s TAG team discovered that the malware was delivered through links sent on SMS and WhatsApp.
“In August and September 2023, Eltantawy’s Vodafone Egypt mobile connection was persistently selected for targeting via network injection; when Eltantawy visited certain websites not using HTTPS, a device installed at the border of Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware,” the researchers said.
Citizen Lab believes that the Egyptian government, a known customer of Cytrox’s Predator spyware, is behind the attack on Eltantawy.