December 8, 2021

Predator & Pegasus

No items found.
Entry Type
Security Guidance
Threat Type
Surveillanceware
Platform(s) Affected
iOS
Platform(s) Affected
Android
Platform(s) Affected
Security Guidance
Surveillanceware
iOS
Android

Lookout Coverage and Recommendation for Admins

To ensure coverage against these attacks, Lookout admins should make sure the default surveillanceware and device exploitation detection policies are turned on. They should set these alerts to high priority and block the device from accessing corporate resources until the issue is resolved.

In addition, admins should enable Lookout Phishing and Content Protection to protect against attacks that deliver malicious payloads via phishing links on various messaging platforms. This will protect both managed and BYOD devices from compromise before the connection can be made and the payload is executed.

Overview

In the latest on state-sponsored mobile surveillanceware, two Egyptians were successfully targeted and spied on with both Predator spyware, which is developed by Cytrox, and NSO Group’s Pegasus. Predator is a new piece of mobile surveillanceware that appears to use a similar attack chain as Pegasus and, like Pegasus, can target individuals on both iOS and Android. Predator is reported to be developed by the group Cytrox. They are part of Intellexa, which on its website says it’s “an EU based and regulated company, with six sites and R&D labs throughout Europe” and is known to compete with NSO in the surveillanceware market.

In this case, Predator was delivered to the targets through a malicious WhatsApp link. After initialization is complete, both the iOS and Android versions of Predator call out for additional loader filed from the command-and-control server. Persistence doesn’t appear to be an issue on Android, but on iOS Predator will download a function that takes advantage of iOS’ shortcuts automation and triggers the exploit whenever one of 44 apps is opened. This is presumably how the spyware silently reinstalls itself in the background.

Lookout Analysis

The mobile surveillanceware market is growing with more opportunity for smaller groups or less-known groups to emerge. Mobile devices continue to be a primary attack vector for cyber criminals. Mobile malware, surveillanceware, and ransomware can take down infrastructure and track our every move as attackers target individuals where they are most vulnerable. As iOS and Android devices continue to be integral to our lives, they need to be secured with as much, if not more priority than any other device

Lookout Coverage and Recommendation for Admins

To ensure coverage against these attacks, Lookout admins should make sure the default surveillanceware and device exploitation detection policies are turned on. They should set these alerts to high priority and block the device from accessing corporate resources until the issue is resolved.

In addition, admins should enable Lookout Phishing and Content Protection to protect against attacks that deliver malicious payloads via phishing links on various messaging platforms. This will protect both managed and BYOD devices from compromise before the connection can be made and the payload is executed.

Colleagues standing in an open meeting area and sharing a humorous moment

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Other Related Threats

New

September 15, 2023

Scattered Spider

Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign

September 19, 2023

CVE-2023-4863

September 18, 2023

ASPL 2023-09-01 / CVE-2023-35674