While NSO Group was taking flak for hacking into the phones of journalists, activists and human rights defenders, an entire class of spyware makers and surveillance-for-hire outfits were operating as normal, largely unnoticed.
These private surveillance groups develop and deploy never-before-seen exploits that quietly hack into and steal the contents of a victim’s phone — call logs, text messages, emails, location data and more — often on behalf of authoritarian governments targeting their most vocal critics.
Now, following an investigation by researchers at Citizen Lab and Facebook’s new parent company, Meta, seven surveillance-for-hire groups have been banned from using the social media giant’s platforms to target other users.
Meta said Thursday that it has removed over 1,500 Facebook and Instagram accounts associated with the seven outfits, which the company said were used for reconnaissance, social engineering, and sending malicious links to thousands of victims in over 100 countries. Meta said it’s notified around 50,000 people it believes were targeted by the seven groups.
Although much of the recent focus of the surveillance industry has been on companies like NSO Group, both Citizen Lab and Meta warned that the wider surveillance-for-hire industry will continue to balloon if left unregulated. “It’s important to realize that NSO is only one piece of a much broader global cyber mercenary ecosystem,” according to a report of Meta’s investigation seen by TechCrunch before its publication.
One of the banned companies is Cytrox, a North Macedonia-based spyware maker. Meta said it found the company using a “vast” infrastructure of web domains mimicking legitimate news sites to target the iPhone and Android devices of its victims. Meta said it sent legal notices to Cytrox and blocked hundreds of domains associated with its infrastructure.
Meta was acting on findings by Citizen Lab, which also on Thursday released a forensic report into the hacking of phones belonging to two Egyptians living in exile — a former politician and the host of a popular news show who asked not to be named. Citizen Lab said the spyware that infected their phones in July 2021, dubbed Predator, was developed by Cytrox.
Citizen Lab first discovered the spyware on the iPhone belonging to Ayman Nour, an Egyptian politician and outspoken critic of the incumbent president, Abdel Fattah el-Sisi, who took over the country following a military coup in 2013. Nour, who lives in exile in Turkey, became suspicious when his phone was “running hot.” Citizen Lab found that Nour’s phone had been infected with Pegasus, the now-infamous spyware created by NSO Group. That led to the discovery that his phone had been concurrently hit by the newly discovered Predator spyware.
Both Nour’s phone and the phone belonging to the host of the news show were running iOS 14.6, the latest version of iOS at the time of the hacks, suggesting the spyware made use of a never-before-seen exploit in the iPhone’s software to infect the phones. Apple spokesperson Scott Radcliffe declined to say whether the company had fixed the vulnerability.
Predator shares a similar set of features to NSO’s Pegasus. Citizen Lab said Nour was sent a malicious link over WhatsApp. When opened, the spyware can access a phone’s cameras and microphone and can exfiltrate the phone’s data. Predator — unlike Pegasus — lacks the ability to silently infect a phone without any user interaction, but it makes up for that with persistence. Citizen Lab said the spyware can survive a reboot of an iPhone — typically clearing any spyware lurking in its memory — by creating an automation using the Shortcuts feature built into iOS.
The researchers said that, “remarkably,” Nour’s phone was compromised at the same time with both Pegasus and Predator, but that the infections were likely unrelated.
“Based on the slapdash nature of Predator’s code, it’s clear we’re looking at the B Team here,” said Bill Marczak, one of the Citizen Lab researchers who discovered and analyzed the Predator malware. “Even so, Predator was still able to break into the latest, fully up-to-date phones, so it’s no surprise that we found repressive governments, including Egypt and Saudi Arabia, as Predator operators.”
Citizen Lab said it was likely that Predator is being used by government customers in Armenia, Greece, Serbia, Indonesia, Madagascar and Oman — plus Egypt and Saudi Arabia, which are known to target their critics with mobile spyware. Meta, meanwhile, said its investigation found Predator customers in Vietnam, the Philippines and Germany.
Cytrox CEO Ivo Malinkovski could not be reached for comment; an email sent prior to publication bounced as undelivered.
Meta said that it also banned four other Israeli companies involved in the surveillance-for-hire business: Cobwebs, Cognyte, Black Cube and Bluehawk. In addition, it banned BellTrox, an Indian hacking outfit accused of hacking into thousands of email accounts belonging to politicians and government officials, and a China-based spyware maker believed to be used by China’s law enforcement.
Although NSO has faced legal challenges and restrictions on its business dealings in large part because of accusations of abuse and spying on members of civil society — claims that the company has repeatedly denied — the social media giant warned that the growing surveillance industry continues to proliferate regardless.
“We will continue to investigate and enforce against anyone abusing our apps,” Meta’s report said. “However, these cyber mercenaries work across many platforms and national boundaries. Their capabilities are used by both nation-states and private enterprises, and effectively lower the barrier to entry for anyone willing to pay. For their targets, it is often impossible to know they are being surveilled across the internet.”
You can contact this reporter securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.