The spyware, known as "Predator" and created by the surveillance tech company Cytrox, was delivered through SMS messages and WhatsApp links sent to Eltantawy between May and September 2023.
Once clicked, these links would have installed the spyware on his phone, enabling remote access to messages, calls, location data, and more.This case highlights the human rights abuses enabled by the lightly regulated spyware industry. Cytrox and its Predator software have previously been linked to hacks of journalists, activists and political opposition worldwide. As such, the US Commerce Department added Cytrox to its "Entity List" this July.
The report also implicates network equipment provider Sandvine, whose technology was used to inject spyware into Eltantawy's web traffic. Sandvine products have been abused in this way before, yet safeguards appear lacking.
Citizen Lab argues this is another example of Canadian companies exporting dual-use technologies without sufficient human rights protections. They recommend reforms to prevent similar cases in the future.
"This is not the first time that technology companies with Canadian headquarters are implicated in the export of technologies used in violation of international human rights law. While Canada has signed a recent Statement of Principles pledging to create and uphold domestic and international controls on commercial spyware technology, the Canadian government has not taken any concrete action around human rights and export controls with respect to dual-use technology." - Citizen Lab wrote.
"we have recommended that the Canadian government ensure through law and meaningful sanctions that Canadian companies are prevented from exporting technologies to jurisdictions where there is a likelihood of human rights abuse." - futher added.
This disturbing new case demonstrates the tools authoritarian regimes utilize to monitor and silence dissent, in Egypt and around the world. It underscores the need for tech companies to prevent misuse as well as the importance of encrypted communication. Users everywhere should update devices and enable protective measures to mitigate these threats.
New iPhone Zero-day Exploit Chain Discovered
Researchers also discovered an iPhone zero-day exploit chain specifically designed to install Predator on iOS devices.
The exploit chain leveraged a set of three zero-day vulnerabilities – CVE-2023-41993 for initial remote code execution (RCE) in Safari using maliciously crafted web pages, the CVE-2023-41991 bug to bypass signature validation, and CVE-2023-41992 for kernel privilege escalation to achieve remote code execution on targeted devices.
However, on September 21, 2023, Apple issued security updates patching these vulnerabilities in iOS, iPadOS, macOS, and watchOS. Users are urged to update immediately and enable Lockdown Mode for added protection.
Google TAG also observed the attackers using a separate exploit chain to drop Predator spyware on Android devices in Egypt, exploiting CVE-2023-4762—a Chrome bug patched on September 5th—as a zero-day to gain remote code execution.
"This bug had already been separately reported to the Chrome Vulnerability Rewards Program by a security researcher and was patched on September 5th. We assess that Intellexa was also previously using this vulnerability as a 0-day," Google TAG's Maddie Stone said.
Citizen Lab also urged all Apple users at risk to install Apple's emergency security updates and enable Lockdown Mode to block the potential attacks exploiting this exploit chain.