This article was published on December 17, 2021

Pegasus isn’t all you have to worry about: Meet Cytrox’s spyware, Predator

A new spyware is in town


Pegasus isn’t all you have to worry about: Meet Cytrox’s spyware, Predator
Ivan Mehta
Story by

Ivan Mehta

Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh." Ivan covers Big Tech, India, policy, AI, security, platforms, and apps for TNW. That's one heck of a mixed bag. He likes to say "Bleh."

Israel-based NSO Group’s Pegasus spyware comes first to mind when you think about notorious ways to snoop on people’s phones.

But there’s a new player in town: Cytrox. This lesser-known company was found enabling surveillance, in a joint investigation by Canada-based Citizen Lab, and Meta

In this story, we’ll break down the company’s origins and tell you about its spyware.

What is Cytrox?

Cytrox started as a North Macedonian startup, but documents reviewed by Citizen Lab suggest it has a presence in Israel and Hungary. Its description on Crunchbase says it provides “governments with an operational cyber solution” — quite vague.

The company is reportedly a part of Intexella — an alliance that wants to compete with the NSO Group.

Cytrox is a North Macedonia based security company
Cytrox is a North Macedonia based security company

The firm’s founder, Tal Dillian, has been involved with a number of operations that provide surveillance software.

Cytrox offers its own Pegasus rival called Predator (who’s making that Alien v Predator poster?) that spies on the victim’s phone. The firm also offers some products to Sphinx, a cyber espionage campaign targeting people located in Egypt and surrounding countries.

What did Citizen Lab find out about the Predator spyware?

An investigation by the Canada-based research firm revealed two Egyptian citizens were targets of Predator: Ayman Nour, the leader of an opposition party in the country, and an unnamed exiled journalist, who’s an anchor on a popular news show.

Notably, the spyware works on both Android and iOS. But the targets were hacked by a bug present in iOS 14.6 in June. We’ve asked Apple if the vulnerability has been fixed, and we’ll update the story if we hear back.

Attackers hacked these phones by sending innocuous-looking links on WhatsApp; these required just a single click to activate the spyware in question. Nour suspected that he had been a victim of a spyware attack when he noticed his phone was running too hot. Plus, the investigation revealed that in a one-of-a-kind case, his phone was attacked by both Predator and Pegasus.

An image accompanying a Cytrox Predator link sent to Nour purports to be a link to the legitimate website of the Al Masry Al Youm newspaper. The actual link goes to a fake lookalike domain, almasryelyuom[.]com.
An image accompanying a Cytrox Predator link sent to Nour purports to be a link to the legitimate website of the Al Masry Al Youm newspaper. The actual link goes to a fake lookalike domain, almasryelyuom[.]com. (Credit: Citizen Lab)
Researchers found out two commands running on iPhones that had references to “distedc[.]com.” They ran a Censys fingerprint — a service to trace the origins of a server — that pointed towards IP addresses belonging to Cytrox.

Citizen Lab’s investigation points towards additional domains observed in the Predator spyware attack. You can find the full list of associated domains — used for phishing or comprise attacks — in this GitHub file.

One of the most important aspects of spyware is that it can survive the rebooting of an iPhone, a process that can clear most spyware from its memory.

In the Android payload, researchers found several references to audio recording components that can log your conversations.

They also listed the governments that might be Cytrox’s clients: Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

You can read more about Citizen Lab’s investigation here.

What is Meta doing?

Meta released a new report on hack-for-hire operations. The company said it has kicked out 300 accounts related to Cytrox from Facebook and Instagram.

In its investigations, the social network noted that Cytrox used a network of domains “to spoof legitimate news entities in the countries of their interest and mimic legitimate URL-shortening and social media services.“

Meta has also blocked the accounts of six other hack-for-hire entities based in the US, India, Israel, and China.

You can read Meta’s full report here.

Here, there, spyware everywhere

Amnesty International, an organization focusing on human rights, said it’s willing to help out any activist who thinks they’ve been targeted. It also published a GitHub library of indicators that could help researchers in finding Predator spyware on phones.

After the report was published, Motherboard reporter Lorenzo Franceschi-Bicchierai reached out to Cytrox’s CEO and founder, Ivo Malinkovski. Hours later, he removed all references to the company from his profile — except one seen in the picture below.

This investigation has emerged in the same week when reports of the NSO Group shutting down Pegasus have surfaced. It suggests that while we’ve known a lot about Pegasus, there are other spyware companies out there that might be operating silently. It’s not over yet.

Published
Back to top