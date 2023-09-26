September 26, 2023 03:19 pm | Updated 03:19 pm IST

Security bugs in Apple’s iOS and Google’s Chrome were found to have been exploited by threat actors to infect devices with Cytrox’s Predator spyware. The bugs, that were recently patched, were abused as part of an exploit chain to install the spyware, Citizen Lab and Google’s Threat Analysis Group shared in a blog post.

The bugs were exploited between May and September 2023 in attacks using decoy SMS and WhatsApp messages targeting a former Egyptian legislator, Ahmed Eltantawy, after he announced plans to join the Egyptian presidential election in 2024.

During the investigation it was found that the former MP’s mobile connection was persistently targeted when he browsed certain websites without HTTPS. A device installed on a Vodafone network in Egypt was then used to redirect malicious website to infect the person’s phone with a spyware.

The exploit chain was triggered automatically after the redirection, deploying a malicious code designed to choose if the spyware should be installed on the compromised device.

Similar methods were also deployed by attackers using a separate exploit chain in Google’s Chrome to target Android devices in Egypt to gain remote code execution ability. The bug already reported to the Chrome Vulnerability Rewards Program by a security researcher was fixed on 5 September.

Some of the domains used to target the devices identified “appeared to be geared at targets in countries previously identified as Cytrox Predator customers, including Egypt, Greece, and Madagascar” Citizen Lab and Google’s Threat Analysis Group shared.

“Given that Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the network injection attack to the Egyptian government with high confidence,” Citizen Lab said.

Citizen Lab security researchers also disclosed two other zero-day vulnerabilities fixed by Apple in its emergency security updates that were abused as part of another zero-click exploit to infect fully patched iPhones with NSO Group’s Pegasus.

Apple fixed the three zero-day exploits in updates released for iPhone 8 and with iOS 16.7 and iOS 17.0.1 along with updates for the iPad, Macs, and Apple Watch. Apple’s Security Engineering and Architecture team, meanwhile, confirmed that its Lockdown Mode blocks this particular attack.

Citizen Lab has urged everyone to immediately update their devices to ensure security.

