A new example of the misuse of commercial spyware was revealed Thursday, December 16, by the Citizen Lab, a research laboratory at the University of Toronto. In a lengthy study detailing several attacks, this group of researchers, keen observers of the digital surveillance industry, have unveiled a company little known to the general public: Cytrox.
Headquartered in North Macedonia, Cytrox was founded in 2017, according to the Citizen Lab, and could, according to surveys conducted by the Gizmodo and Fast Company websites, be linked to a group of several companies specializing in spy tools. The study by the Canadian laboratory has established that spyware, named Predator, uses a technical infrastructure linked to Cytrox.
It was by analyzing the phones of two victims, both Egyptian, that the researchers identified Predator: Ayman Nour, an opponent and former presidential candidate, and a journalist in exile, not publicly identified. While observing the operation of the spyware on one of the phones, the Citizen Lab discovered a domain name which, after investigation, was traced to a website linked to Cytrox. Ayman Nour, on the other hand, also saw his phone infected with Pegasus, a spyware program designed by the Israeli company NSO, with the Citizen Lab having managed to observe the two snitches running on the phone at the same time.
Android and iOS versions
The researchers managed to study two versions of Predator, one developed to run on iOS, the operating system for Apple’s mobile devices, and the other designed for Android phones. The report does not explicitly list the actions made possible on a phone by an attacker using Predator, but such spyware, like Pegasus, is designed to nestle in devices and gain permission to activate the microphone as well. as the camera, or read messages and record the activity of other applications.
Likewise, the Citizen Lab was unable to analyze the infection vectors used by Predator to bypass the security systems put in place by iOS and Android and install themselves on phones. Potential lead, however: the two victims received, during the approach phase, messages containing links to domain names belonging to the infrastructure of Cytrox.
Notably, the researchers discovered, on the iOS version of the software, a persistence mechanism, that is to say a tool that allows the cookie to maintain a presence in the device even when it is turned off and then on again. . Such a feature was not found on the Android version of Predator.
In the Facebook finder
Who are Cytrox customers? Companies that, like her, operate in the digital surveillance industry tend to keep the names of the entities using their services in the dark. We know, however, that these are state police and intelligence services. In its report, the Citizen Lab thus suggests that an Egyptian state service is probably behind the two attacks that were analyzed. Likewise, an analysis of Predator’s technical infrastructure carried out by the researchers leads them to believe that Cytrox customers are located, among others, in Saudi Arabia, Indonesia, Madagascar and Greece.
An analysis also shared by the Meta group (new name of Facebook), which worked in collaboration with the Citizen Lab, and whose survey on Cytrox made it possible to identify customers in certain countries common to this list. The Californian company released a report on Thursday concerning seven private sector cybersurveillance companies, including Cytrox. In the latter’s case, Meta identified 300 fake Facebook and Instagram accounts used by the firm and its clients to obtain information on their targets, but also to approach them and attempt to infect them with spyware.
For several years, actors such as the Citizen Lab or Amnesty International have revealed the misuse of commercial spyware, sold by private companies to States, officially to fight crime and terrorism, but regularly used to spy on journalists, lawyers. and political opponents. « As evidence of new entrants to the spyware world continues to come to light, the same abusive practices will no doubt persist until international regulations change. », concludes the Citizen Lab in its report.