Apple Fixes Bugs That Infected Egyptian Politician's iPhoneCytrox's Predator Found on Device of Ahmed Eltantawy
Apple released patches Thursday to close three actively exploited vulnerabilities that researchers said commercial spyware maker Cytrox used to infect the iPhone of Egyptian politician Ahmed Eltantawy with Predator malware.
Affected devices include the iPhone 8 and subsequent models, desktops running macOS Monterey or newer versions as well as models of the iPad Mini and Apple Watch released in recent years. Also affected is Apple's Safari browser.
Apple credits discovery of the flaws to the University of Toronto's Citizen Lab and Maddie Stone of Google's Threat Analysis Group. The Canadian organization and Stone collaborated to analyze the smartphone of the former member of the Egyptian Parliament who earlier this year announced a presidential bid in the Arab country's 2024 election.
The Citizen Lab attributes the attack "with high confidence" to the Egyptian government, given that Cairo is a known customer of the Hungary-based spyware maker and the attack appears to have taken place through Vodafone's Egypt network. "Precisely targeting injection at an individual Vodafone subscriber would require integration with Vodafone’s subscriber database," The Citizen Lab wrote.
It's likely state authorities used a network policy control product developed by Canadian company Sandvine marketed as PacketLogic, it added. Using the tool, they were able to redirect an internet request from Eltantawy's phone to a malicious site that downloaded Predator.
The trio of vulnerabilities - tracked as CVE-2023-41991, CVE-2023-41992 and CVE-2023-41993 - includes certificate validation issues, a kernel security flaw and a WebKit flaw enabling arbitrary code execution.
This marks the second time this month that The Citizen Lab has tipped off Apple to flaws exploited by commercial spyware makers. In early September, the group published findings of how NSO Group, maker of the Pegasus advanced spyware app, had used a zero-click exploit to infect at least one iPhone carried by an individual employed at a Washington, D.C.-based civil society organization (see: Apple Fixes Zero-Click Bugs Exploited by NSO Group's Spyware).