Apple recently released emergency security patches for iPhones, iPads, MacBooks, and Apple Watches that target several "zero-day" vulnerabilities that could leave a device open to spyware.
As usual, Apple released very few details about the security vulnerabilities or their exploits. "For the protection of our customers, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are generally available," Apple says.
The emergency update targeted three issues: CVE-2023-41992, CVE-2023-41991, and CVE-2023-41993, Apple said. The third vulnerability affects "processing web content [that] may lead to arbitrary code execution" and "Apple is aware of a report that this issue may have been actively exploited against versions of iOS before iOS 16.7."
"During our investigation, we worked with Google’s Threat Analysis Group to obtain an iPhone zero-day exploit chain (CVE-2023-41991, CVE-2023-41992, CVE-2023-41993) designed to install Predator on iOS versions through 16.6.1," said Citizen Lab. "We also obtained the first stage of the spyware, which has notable similarities to a sample of Cytrox’s Predator spyware we obtained in 2021. We attribute the spyware to Cytrox’s Predator spyware with high confidence."
Owners of iPhone, iPad, MacBook, and Apple Watch devices are urged to update their devices as soon as possible. For the iPhone and iPad, users are advised to go to Settings, then select General, tap Software Updates, and then tap the Update Now button.
Although the spyware can be difficult to locate, certain tools such as iVerify can be used to figure out whether the malware is on your phone or device. Some researchers have stated that restarting an iPhone or another smartphone model by turning it off and turning it back on can disrupt the spyware, noting that users often do not restart their phones.
Spyware DiscoveredAccording to various published reports, the Predator spyware was allegedly sold to a multitude of state-backed actors in Armenia, Egypt, Madagascar, Greece, Ivory Coast, Indonesia, and others. Last week, both Google and Citizen's Lab found that Predator was found on the phone of former Egyptian lawmaker Ahmed Altantawy, described as a leading opposition party politician.
Prior to that, Citizen Lab said, attempts were made beginning in May to hack Mr. Altantawy’s phone with Predator via links in SMS and WhatsApp messages that he would have had to click on to become infected.
Mr. Altantawy, family members, and supporters have complained of being harrassed, which led him to ask Citizen Lab researchers to analyze his phone for potential spyware infection.
Once infected, the Predator spyware turns a smartphone into a remote eavesdropping device and lets the attacker siphon off data.
Given that Egypt is a known customer of Predator’s maker, Cytrox, and the spyware was delivered via network injection from Egyptian soil, Citizen Lab said it had “high confidence” Egypt’s government was behind the attack.