Skip to content

After Pegasus, governments use Predator to hunt down targets

  • by
  • 3 min read
Hacking Android: How your phone can be compromised by a rogue app

Exiled Egyptian politician Ayman Nour and another fellow Egyptian who hosted a popular news program in the country and wished to remain anonymous were being hacked by Predator, a spyware software built and sold by Cytrox. To make matters worse, Ayman’s phone was hacked by NSO Group’s Pegasus and Cytrox’s Predator at the same time, both operated by different entities. 

According to Citizen Labs’ analysis published Thursday, Ayman’s phone was hacked by Predator back in June 2021 and was able to infect the then-latest iOS 14.6 using a one-tap exploit sent via Whatsapp links.

The NSO Group has been taking worldwide flak for quite some time now around its Pegasus spyware software which has been used to target activists, journalists and dissidents alike. This considerable worldwide attention on NSO, including the US putting the company on a trade blocklist, has allowed multiple other lesser-known spyware mercenary companies to continue working under the radar.

In the News: Log4j turns out to be far more dangerous; CISA orders fixing

The star alliance of Spyware?

To compete with the NSO group over the spyware market, Cytrox was part of Intellexa, an apparent “star alliance of Spyware”, describing itself as EU based and regulated. The alliance even goes as much as to state that they have six sites and R&D Labs throughout Europe. 

Cytrox itself was founded in 2017 and is described in Crunchbase as providing governments with cyber solutions to help gather information, whether it’s the cloud or standalone devices. The company potentially has customers in Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia.

Citizen Labs has shared the acquired Predator samples with Apple, who has confirmed that they’re investigating them. Additionally, since Whatsapp was involved quite heavily in sending Predator’s one-tap exploit links, Citizen Labs has also reported “forensic artefacts” with Meta’s security team.

This action has led Meta to take enforcement action against Cytrox, including removing around 300 Instagram and Facebook accounts linked to the company. Additionally, Meta also announced that it removed 1500 accounts related to seven different outfits (banning the companies themselves from its platforms), which were reportedly used for reccying, social engineering and sending malicious links to targets in over 100 countries, adding that it had warned over 50,000 people who were targeted by these outfits. 

This action is in-line with Apple’s announcement earlier this year that they’ll be notifying users targeted by any such exploits as well as fixing Pegasus’ ForcedEntry zero-click exploit for iMessage in addition to suing NSO Group and its parent company OSY Technologies.

In the News: Hack DHS: Homeland Security’s bug bounty program that pays up to $5000

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: