ONE Jailbreak Ad

Detect Predator spyware on Phone

Promotion image of Detect Predator spyware article.

Cytrox, a prominent Macedonian cybersecurity firm, gained notoriety in 2021 for its development and dissemination of the Predator spyware targeting iPhones. This sophisticated spyware successfully infiltrated iOS 14.6, the latest OS version at the time, through the utilization of single-click links distributed via the popular messaging platform, WhatsApp. Predator persists after reboot using the iOS automation feature.

The Predator spyware was presumably deployed by governmental entities, including those of Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Its targets span a spectrum from political opposition and journalists to the hosts of influential news programs, indicating a wide-reaching surveillance operation. However, it's worth noting that the company currently operates under various names across the European Union.

Once the Predator loader is activated, it initiates the download of Python scripts onto your iPhone to establish control over the device. Subsequently, upon loading the Predator configuration, the iOS loader proceeds to purge the device's crash logs, effectively eliminating all related files. Following this, it retrieves a configuration file and subsequent stages of the spyware from the designated server.

On iOS, the Predator loader executes a function responsible for downloading an iOS shortcut automation from the spyware server, ensuring its persistence. This automation is designed to activate when specific apps are launched, encompassing a range of built-in Apple applications.

In total, more than 44 apps are meticulously monitored including the App Store, Camera, Mail, Maps, and Safari, along with popular third-party apps such as Twitter, Instagram, Facebook, LinkedIn, Skype, SnapChat, Viber, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.

The Predator shortcut operates entirely in the background, remaining invisible to the user. This stealthiness is achieved as Predator modifies a setting to disable notifications triggered by automation. Cytrox and its Predator spyware, are relatively unknown, unlike Pegasus.

How to detect Predator spyware on iOS

To ascertain whether the Predator spyware has been installed on your iPhone, it is necessary to first create a backup of your device. Subsequently, employing a tool like the MVT becomes imperative in determining the presence of Cytrox spyware on your iDevice.

MVT utilizes various indicators such as malware, relationships, bundled files, domain names, and Apple IDs associated with compromising your device, as well as monitoring running processes to effectively detect the installation of Predator. MVT uses cytrox.stix2 indicator to identify and detect Predator spyware from your iPhone backup file.

Note: Encrypted iOS backups contain additional intriguing records that are unavailable in their unencrypted counterparts. These encompass significant data such as Safari history, Safari state, and other pertinent information, enhancing the forensic analysis.

Follow the steps to detect Predator spyware on iOS:

Step 1. Install Mobile Verification Toolkit on Desktop.

Step 2. Connect your iPhone to your computer through a USB cable.

Step 3. Create an iPhone Backup (encrypted) using iTunes or command line tools.

Step 4. Open your preferred terminal application.

Step 5. Excetut the following command to decrypt the iOS backup.

mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory

Step 6. Enter the password for encryption of the iOS backup file.

Step 7. Update MVT indicators to the latest version.

mvt-ios download-iocs

Step 8. Scan iOS backup with MVT to determine if Predator spyware was installed.

mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory

Step 9. View the command line prompt for Predator spyware detection status.

Step 10. For further analysis, you can navigate through $mvt_output_directory files.

Author Photo
Written by

Kuba has over 20 years of experience in journalism, focusing on jailbreak since 2012. He has interviewed professionals from various companies. Besides journalism, Kuba specializes in video editing and drone flying. He studied IT at university before his writing career.

Post a comment

Latest Posts

Nugget

Nugget unlocks your iPhones full potential on iOS 18

LeminLimez released a new project that allows users to activate some hidden iOS features on iOS 17.0. I took a look into Nugget, an open-source software that promises to enable Dynamic Island, Always On Display, set device model name, disable region restrictions...

How to Boost Your Social Media Views

How to Boost Your Social Media Views with Effective Content Strat

Social media channels are the main tools for personal expression, brand-building, and communication in the digital age. However, one of the main difficulties people and companies face on social media is standing out amidst the vast content shared daily...

mitmproxy

mitmproxy reverse engineer toolbox for apps API on iOS

mitmproxy, developed by the Mitmproxy Project, is a powerful and interactive intercepting proxy that supports SSL/TLS and provides a console interface for handling HTTP/1, HTTP/2, and WebSocket traffic. This tool is particularly useful for capturing and...