Spyware injected into vulnerable iOS and Android Devices through Man-In-The-Middle Attacks

The Predator spyware has been injected into iPhones and Android devices by exploiting iOS and Chrome zero-day vulnerabilities, througy executing man-in-the-middle (MitM) attacks. 

The Predator spyware is attributed to Cytrox and Intellexa, with Cytrox known for its high-end iPhone spyware.

Apple promptly alerted its users about patches available for three identified zero-days, namely CVE-2023-41991 (signature verification bypass), CVE-2023-41992 (local privilege escalation), and CVE-2023-41993 (arbitrary code execution through a malicious webpage). Apple specified that it was only aware of exploitation attempts on iOS devices prior to version 16.7.

A real world example of exploiting was an attack targeting Ahmed Altantawy, a prominent opposition figure in Egypt, and were executed through an man-in-the-middle attack (MiTM) —a technique usually employed by well-resourced threat actors, including state-sponsored groups. Altantawy was redirected to websites hosting the Predator spyware when he accessed HTTP (not encrypted) web sites via his Vodafone Egypt mobile data connection, allowing the attacker to intercept and redirect his traffic to the malicious site. This attack method is fully transparent to the victim as there is no active action on their part for the device to be compromised.

This incident also revealed the utilization of an injection system, potentially within Vodafone Egypt’s network. Given Egypt’s history as a Predator spyware customer and the highly targeted nature of this attack, it is probable that the operation was not conducted without the knowledge of Egyptian authorities.

Google also reported an exploit chain for installing the Predator spyware on Android devices in Egypt, leveraging CVE-2023-4762 for remote code execution, a Chrome vulnerability patched in September. This exploit chain was again sent through MitM attacks and malicious links sent directly to the target via SMS and WhatsApp messages.