Detect Predator spyware on Phone
Cytrox, a prominent Macedonian cybersecurity firm, gained notoriety in 2021 for its development and dissemination of the Predator spyware targeting iPhones. This sophisticated spyware successfully infiltrated iOS 14.6, the latest OS version at the time, through the utilization of single-click links distributed via the popular messaging platform, WhatsApp. Predator persists after reboot using the iOS automation feature.
The Predator spyware was presumably deployed by governmental entities, including those of Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Its targets span a spectrum from political opposition and journalists to the hosts of influential news programs, indicating a wide-reaching surveillance operation. However, it's worth noting that the company currently operates under various names across the European Union.
Once the Predator loader is activated, it initiates the download of Python scripts onto your iPhone to establish control over the device. Subsequently, upon loading the Predator configuration, the iOS loader proceeds to purge the device's crash logs, effectively eliminating all related files. Following this, it retrieves a configuration file and subsequent stages of the spyware from the designated server.
On iOS, the Predator loader executes a function responsible for downloading an iOS shortcut automation from the spyware server, ensuring its persistence. This automation is designed to activate when specific apps are launched, encompassing a range of built-in Apple applications.
In total, more than 44 apps are meticulously monitored including the App Store, Camera, Mail, Maps, and Safari, along with popular third-party apps such as Twitter, Instagram, Facebook, LinkedIn, Skype, SnapChat, Viber, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.
The Predator shortcut operates entirely in the background, remaining invisible to the user. This stealthiness is achieved as Predator modifies a setting to disable notifications triggered by automation. Cytrox and its Predator spyware, are relatively unknown, unlike Pegasus.
How to detect Predator spyware on iOS
To ascertain whether the Predator spyware has been installed on your iPhone, it is necessary to first create a backup of your device. Subsequently, employing a tool like the MVT becomes imperative in determining the presence of Cytrox spyware on your iDevice.
MVT utilizes various indicators such as malware, relationships, bundled files, domain names, and Apple IDs associated with compromising your device, as well as monitoring running processes to effectively detect the installation of Predator. MVT uses cytrox.stix2 indicator to identify and detect Predator spyware from your iPhone backup file.
Note: Encrypted iOS backups contain additional intriguing records that are unavailable in their unencrypted counterparts. These encompass significant data such as Safari history, Safari state, and other pertinent information, enhancing the forensic analysis.
Follow the steps to detect Predator spyware on iOS:
Step 1. Install Mobile Verification Toolkit on Desktop.
Step 2. Connect your iPhone to your computer through a USB cable.
Step 3. Create an iPhone Backup (encrypted) using iTunes or command line tools.
Step 4. Open your preferred terminal application.
Step 5. Excetut the following command to decrypt the iOS backup.
mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory
Step 6. Enter the password for encryption of the iOS backup file.
Step 7. Update MVT indicators to the latest version.
mvt-ios download-iocs
Step 8. Scan iOS backup with MVT to determine if Predator spyware was installed.
mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory
Step 9. View the command line prompt for Predator spyware detection status.
Step 10. For further analysis, you can navigate through $mvt_output_directory files.
