ONE Jailbreak Ad

Detect Predator spyware on Phone

Promotion image of Detect Predator spyware article.

Cytrox, a prominent Macedonian cybersecurity firm, gained notoriety in 2021 for its development and dissemination of the Predator spyware targeting iPhones. This sophisticated spyware successfully infiltrated iOS 14.6, the latest OS version at the time, through the utilization of single-click links distributed via the popular messaging platform, WhatsApp. Predator persists after reboot using the iOS automation feature.

The Predator spyware was presumably deployed by governmental entities, including those of Armenia, Egypt, Greece, Indonesia, Madagascar, Oman, Saudi Arabia, and Serbia. Its targets span a spectrum from political opposition and journalists to the hosts of influential news programs, indicating a wide-reaching surveillance operation. However, it's worth noting that the company currently operates under various names across the European Union.

Once the Predator loader is activated, it initiates the download of Python scripts onto your iPhone to establish control over the device. Subsequently, upon loading the Predator configuration, the iOS loader proceeds to purge the device's crash logs, effectively eliminating all related files. Following this, it retrieves a configuration file and subsequent stages of the spyware from the designated server.

On iOS, the Predator loader executes a function responsible for downloading an iOS shortcut automation from the spyware server, ensuring its persistence. This automation is designed to activate when specific apps are launched, encompassing a range of built-in Apple applications.

In total, more than 44 apps are meticulously monitored including the App Store, Camera, Mail, Maps, and Safari, along with popular third-party apps such as Twitter, Instagram, Facebook, LinkedIn, Skype, SnapChat, Viber, TikTok, Line, OpenVPN, WhatsApp, Signal, and Telegram.

The Predator shortcut operates entirely in the background, remaining invisible to the user. This stealthiness is achieved as Predator modifies a setting to disable notifications triggered by automation. Cytrox and its Predator spyware, are relatively unknown, unlike Pegasus.

How to detect Predator spyware on iOS

To ascertain whether the Predator spyware has been installed on your iPhone, it is necessary to first create a backup of your device. Subsequently, employing a tool like the MVT becomes imperative in determining the presence of Cytrox spyware on your iDevice.

MVT utilizes various indicators such as malware, relationships, bundled files, domain names, and Apple IDs associated with compromising your device, as well as monitoring running processes to effectively detect the installation of Predator. MVT uses cytrox.stix2 indicator to identify and detect Predator spyware from your iPhone backup file.

Note: Encrypted iOS backups contain additional intriguing records that are unavailable in their unencrypted counterparts. These encompass significant data such as Safari history, Safari state, and other pertinent information, enhancing the forensic analysis.

Follow the steps to detect Predator spyware on iOS:

Step 1. Install Mobile Verification Toolkit on Desktop.

Step 2. Connect your iPhone to your computer through a USB cable.

Step 3. Create an iPhone Backup (encrypted) using iTunes or command line tools.

Step 4. Open your preferred terminal application.

Step 5. Excetut the following command to decrypt the iOS backup.

mvt-ios decrypt-backup -d $decrypted_backup_directory $backup_directory

Step 6. Enter the password for encryption of the iOS backup file.

Step 7. Update MVT indicators to the latest version.

mvt-ios download-iocs

Step 8. Scan iOS backup with MVT to determine if Predator spyware was installed.

mvt-ios check-backup -o $mvt_output_directory $decrypted_backup_directory

Step 9. View the command line prompt for Predator spyware detection status.

Step 10. For further analysis, you can navigate through $mvt_output_directory files.

Author Photo
Written by

Kuba has over 20 years of experience in journalism, focusing on jailbreak since 2012. He has interviewed professionals from various companies. Besides journalism, Kuba specializes in video editing and drone flying. He studied IT at university before his writing career.

Post a comment

Latest Posts

App Store compatible apps with Satella

App Store compatible apps with Satella

Satella is a simple tweak that unlocks premium features in App Store apps. It works on both jailbroken and non-jailbroken devices. However, it is only compatible with in-app purchases implemented by iOS apps without any additional layer of protection. Having...

Mobile Verification Toolkit

How to install Mobile Verification Toolkit (MVT)

Mobile Verification Toolkit (MVT) serves as a valuable tool for streamlining the consensual forensic analysis of iOS devices, enabling the identification of compromise indicators. This innovative toolkit, by the Amnesty International Security Lab, emerged...

Have a Jailbroken Firestick? Do this now!

Have a Jailbroken Firestick? Do These Things Right Now!

Jailbreaking Firestick has become a common practice. It opens up the device to various possibilities. Users get to install third-party streaming apps. It gives them access to entertainment content they otherwise cannot get through...