Predator Spyware Strikes Again
On September 22nd, Citizen Lab, in collaboration with Google Project Zero, released a joint report revealing that Ahmen Eltantawy, a former Egyptian member of parliament, was targeted using highly sophisticated spyware. The recent payload obtained and analyzed by Citizen Lab matches the findings reported in a previous report, confirming that the tool used was Predator spyware, a software tool developed by Cytrox.
This attack was complex, as seen by the use of 3 new iOS vulnerabilities as well as the persistent attempts across multi-vectors that demonstrated the sophistication and orchestration typically seen and carried out by nation-states.
Common to similar attacks in the past, such as Pegasus, the initial attack vector distributed malicious URLs via SMS and other common messaging applications such as WhatsApp, to infect devices with the Predator spyware. In addition, subsequent and more complex techniques were used to manipulate the device’s cellular traffic, silently redirecting the device to compromised HTTP sites, where the zero-click attack was carried out.
Zimperium’s Comprehensive Protection Mechanisms
Comprehensive, layered protection is critical when protecting against mobile threats, especially advanced threats such as Predator. Below are a few examples of Zimperium’s depth-in-defense countermeasures to help protect customers from advanced threats:
- Blocking access to malicious websites: Zimperium’s on-device dynamic detection engine and content filtering engines provided customers with immediate classification of the malicious links.
- Proactively filtering malicious links in SMS: Through purpose-built on-device machine-learning classifiers Zimperium customers benefit from proactive filtering of malicious and phishing links found in SMS messages.
- Validating the integrity of the network connection: Man-in-the-middle (MITM) attacks, highlighted in this attack, allow attackers to control the device traffic, allowing them to redirect connections or inject data. Zimperium provides customers with an array of network detections (e.g. MITMs, Rogue Access Points, etc.) to validate the integrity of a network connection.
- Protect devices from connecting to unsecured URLs: Zimperium MTD can automatically encrypt and route HTTP traffic through secure servers. Implementing such a policy would have prevented the zero-click attack chain while visiting sites using unsecure connections.
- Advanced spyware & behavioral detections: Zimperium MTD is equipped with advanced algorithms capable of detecting when a device has been tampered with and/or compromised by sophisticated spyware like Predator, Pegasus, and Operation Triangulation. Our continuous updates ensure that we stay ahead of emerging threats.
Click to learn more about Zimperium MTD.
Author: Nicolás Chiaraviglio
Security Research. View the author’s experience and accomplishments on LinkedIn.