Predator by Cytrox: Spyware discovered on phone of Greek journalist

A committee of enquiry in the EU Parliament is to look into the use of mercenary spyware against opposition members and media workers in Europe. German clients could also be in the spotlight, according to an analysis by the Meta Group.

On 10 March, the European Parliament decided to set up a committee of enquiry into the Pegasus trojan programme, which met for its constituent session yesterday. Background to the case are the known operations of the spying software produced by the Israeli NSO Group against opposition members and journalists in Hungary and Poland. The company claims to have sold its tools to almost all European countries, reports the New Yorker magazine.

The investigation, which goes by the acronym „PEGA“, involves members of parliament who were themselves intercepted by the NSO spying software, including Catalan politician Carles Puigdemont. This „CatalanGate“ was made public by the Canadian research group Citizen Lab at the start of „PEGA“. The EU Commission was also investigated with the trojan.

Investigations by Citizen Lab

As a precaution, MEPs extended the committee’s mandate to cover „equivalent surveillance spyware that is installed on mobile devices by exploiting IT vulnerabilities“. This should now prove to be a smart move in the case of the Predator spyware, which is causing a stir in Greece.

On 11 April, the Greek internet magazine Inside Story announced that the spyware had been found on the phone of Thanasis Koukakis, a journalist specialising in finance and corruption. Again, the report was based on an investigation by Citizen Lab. According to the report, Koukakis‘ mobile phone was infected by a personalised text message with a compromised link. The civilian secret service in Greece is considered to be the possible originator.

The manufacturer of Predator is the company Cytrox, which was founded in 2017 by five Israeli nationals and one Hungarian as a joint-stock company in Skopje (northern Macedonia). The owner of the company, which is now part of a company in Hungary, is 70-year-old Israeli air force veteran Meir Shamir. Northern Macedonian Ivo Malinkovksi is said to be the managing director. Cytrox reportedly has other production facilities and offices in Hungary and Israel.

Pegasus vs. Predator

Predator works on phones with Android and iOS operating systems and collects information from mobile devices and associated cloud services. Files, photos, internet histories, contacts and passwords are transferred to the clients after a successful infection.

The software became known in Egypt, among other places, where Citizen Lab was able to prove its use on the mobile phones of two opposition members. The infection was caused by clicking on a link in a Whatsapp message. One of the victims was also infected with the NSO trojan, which prompted the researchers to write the headline „Pegasus vs. Predator“. According to Citizen Lab, the government in Cairo is behind the attack.

In December, the Meta Group warned 50,000 Facebook and Instagram account holders about government surveillance and shut down 100 affected accounts. The Predator spying software was also mentioned in the corresponding report. According to it, its manufacturer Cytrox is one of the seven companies whose presence was eradicated from 1,500 fake accounts on social networks by Meta. Cytrox alone is said to have set up 300 of these accounts.

Competition with NSO Group

It is not only the fact that Predator was used to intercept a journalist in an EU member state that puts the software on the radar of the investigative committee in the Brussels parliament. Cytrox is part of the so-called „Intellexa Alliance“, in which various spyware manufacturers have joined forces to become competitive with the NSO Group. According to statements quoted by Citizen Lab, the network has six locations and research laboratories throughout Europe.

The Israeli ex-commander Tal Dilian, who is involved in it with his company WiSpear, is considered the designer of the „Intellexa Alliance“. Apparently renamed Passitora Ltd, the Cyprus-based company hit the headlines in 2019 when Dilian brought a black van with surveillance technology worth nine million dollars to the island.

So far, the enquiry committee has not named which witnesses will be summoned to the hearings, but in any case this will affect managing directors of the spyware companies. Under certain circumstances, this could also involve German authorities. According to Meta, Cytrox’s software is used in Armenia, Saudi Arabia, Oman, Colombia, Côte d’Ivoire, Vietnam and the Philippines. After Greece, Germany is the second known EU member state to which Predator has been officially sold.

Image: Stephen Petrey on Unsplash.

Autor: Matthias Monroy

Knowledge worker, activist, editor of the German civil rights journal Bürgerrechte & Polizei/CILIP.