BOSTON (AP) 鈥 A leading Egyptian opposition politician was targeted with spyware multiple times after announcing a presidential bid 鈥 including with malware that automatically infects smartphones, security researchers have found. They say Egyptian authorities were likely behind the attempted hacks.
Discovery of the malware by researchers at Citizen Lab and Google鈥檚 Threat Analysis Group prompted Apple to updates for iPhones, iPads, Mac computers and Apple Watches to patch the associated vulnerabilities.
Citizen Lab said that attempts beginning in August to hack former Egpytian lawmaker Ahmed Altantawy involved configuring his phone's connection to the Vodaphone Egypt mobile network to automatically infect it with Predator spyware if he visited certain websites not using the secure HTTPS protocol.
Citizen Lab said the effort likely failed because Altantawy had his phone in 鈥渓ockdown mode,鈥 which Apple recommends for iPhone users at high risk, including rights activists, journalists and political dissidents in countries like Egypt.
Prior to that, Citizen Lab said, attempts were made beginning in May to hack Altantawy鈥檚 phone with Predator via links in SMS and WhatsApp messages that he would have had to click on to become infected.
Once infected, the Predator spyware turns a smartphone into a remote eavesdropping device and lets the attacker siphon off data.
Given that Egypt is a known customer of Predator's maker, Cytrox, and the spyware was delivered via network injection from Egyptian soil, Citizen Lab said it had 鈥渉igh confidence鈥 Egypt's government was behind the attack.
Bill Marczak of the University of Toronto-based internet watchdog obtained the exploit chain with Google researcher Maddie Stone.
"It's scary the fact that the government can essentially select anyone on Vodafone Egypt鈥檚 network and perhaps other networks for infections and they just flip a switch鈥 and select them for targeting, he said. Marczak said 鈥渢he most likely scenario here is that, yes, there is this cooperation from from Vodafone.鈥
In a separate incident in 2021, Citizen Lab determined that Altantawy 鈥 who announced his candidacy in March 鈥 was successfully hacked with Predator.
Egyptian officials did not respond Saturday to requests for comment.
Altantawy, a former journalist, announced in March his bid to challenge incumbent President Abdel Fatah el-Sissi in 2024, who has overseen a sharp crackdown on political opposition. Rights groups accuse el-Sissi鈥檚 administration of targeting dissent with brutal tactics 鈥 forced disappearances, torture and long-term detentions without trial.
Altantawy, family members and supporters have , which led him to ask Citizen Lab researchers to analyze his phone for potential spyware infection.
Altantawy said Saturday in written responses to questions relayed by a trusted intermediary, who requested anonymity for personal security, that he contacted Citizen Lab after receiving a series of suspicious and anonymous messages embedded with links he suspected were malicious.
He said he believed the hacking attempts were 鈥渋nextricably linked to my political candidacy and my opposition role in the country against the Sisi regime鈥 and sought 鈥渘ot only to surveil, but perhaps also to find compromising material that could be used to discredit or defame me.鈥
Altantawy also said the incident raises questions about whether telecommunications companies operating in Egypt might be complicit.
Previously, Citizen Lab documented Predator infections affecting two exiled Egyptians, and in a that Cytrox had customers in countries including Armenia, Greece, Indonesia, Madagascar, Oman, Saudi Arabia and Serbia.
In July, the to its blacklist for developing surveillance tools deemed to have threatened U.S. national security as well as individuals and organizations worldwide. That makes it illegal for U.S. companies to do business with them. Israel NSO Group, maker of the Pegasus spyware, was similarly sanctions in November 2021. The reported use of Predator in last year of two top government officials, including the national intelligence director.
The latest discovery brings to five the number of zero-day vulnerabilities to Apple software for which patches have been released this month.
