Researchers discover attempt to infect leading Egyptian opposition politician with Predator spyware

BOSTON (AP) — A leading Egyptian opposition politician was targeted with spyware after announcing a presidential bid, security researchers reported Friday. They said Egyptian authorities were likely behind the attempted hack.

Discovery of the attempt last week by researchers at Citizen Lab and Google’s Threat Analysis Group prompted Apple to rush out operating system updates for iPhones, iPads, Mac computers and Apple Watches to patch the associated vulnerabilities.

Citizen Lab said in a blog post that recent attempts to hack former Egyptian lawmaker Ahmed Altantawy involved configuring his connection to the Vodaphone Egypt mobile network to automatically infect his devices with the Predator spyware if he visited certain websites not using the secure HTTPS protocol.

Bill Marczak, the researcher involved at the University of Toronto-based internet watchdog, declined to provide more detail on how he and Google researcher Maddie Stone discovered the spyware exploit chain, which he said was sent to Altantawy’s phone via SMS and WhatsApp links from Egyptian soil.

Once infected, the Predator spyware turns a smartphone into a remote eavesdropping device and lets the attacker siphon off data.

“It’s scary the fact that the government can essentially select anyone on Vodafone Egypt’s network and perhaps other networks for infections and they just flip a switch” and select them for targeting, he said. Marczak said “the most likely scenario here is that, yes, there is this cooperation from from Vodafone.”

Altantawy did not immediately respond to a request for comment on being targeted by the alleged spyware, nor did Egyptian officials.

Citizen Lab had previously identified Egypt as a customer of Predator’s maker, Cytrox, and determined that Altantawy’s phone was successfully hacked with it in 2021 in a separate incident.

Citizen Lab also previously documented Predator infections affecting two exiled Egyptians, and in a joint probe with Facebook determined that Cytrox had customers in countries including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.

Altantawy, a former journalist and lawmaker, announced in March his bid to challenge incumbent President Abdel Fatah el-Sissi in 2024, who has overseen a sharp crackdown on political opposition. Rights groups accuse el-Sissi’s administration of targeting dissent with brutal tactics — forced disappearances, torture and long-term detentions without trial.

Altantawy, family members and supporters have complained of being harrassed, which led him to ask Citizen Lab researchers to analyze his phone for potential spyware infection.

“We didn’t see any evidence of a successful hack, but we did note that he had (the phone) in lockdown mode,” said Marczak.

Apple offers lockdown mode for iPhone users at high risk of being targeted with spyware, who include human rights activists, journalists and opposition politicians in countries like Egypt.

In July, the U.S. added Predator’s maker, Cytrox, to its blacklist for developing surveillance tools deemed to have threatened U.S. national security as well as individuals and organizations worldwide. That makes it illegal for U.S. companies to do business with them. Israel NSO Group, maker of the Pegasus spyware, was similarly sanctions in November 2021. The reported use of Predator in Greece helped precipitate the resignation last year of two top government officials, including the national intelligence director.

The latest discovery brings to five the number of zero-day vulnerabilities to Apple software for which patches have been released this month.

——-

AP reporter Maggie Hyde in Cairo contributed.