An opposition Egyptian presidential candidate was targeted with spyware a number of times in recent months, with Egyptian authorities likely behind the hacking attempts, security researchers say.
Ahmed Altantawy said on Saturday he contacted internet watchdog Citizen Lab after receiving suspicious messages on his smartphone.
The former Egyptian lawmaker said he suspected they were malicious and “inextricably linked to my political candidacy and my opposition role in the country against the Sisi regime”, referring to Egyptian President Abdel Fattah el-Sisi.
The hacking attempts sought “not only to surveil but perhaps also to find compromising material that could be used to discredit or defame me”, he added.
Researchers at the University of Toronto-based Citizen Lab and Google’s Threat Analysis Group found the malware against Altantawy last week, which prompted Apple to implement security updates on Thursday to patch the associated vulnerabilities.
Citizen Lab said in a blog post that attempts beginning in August involved configuring Altantawy’s phone’s connection to the Vodafone Egypt mobile network to automatically infect it with Predator spyware if he visited websites not using the secure HTTPS protocol.
The watchdog said the attempts probably failed because Altantawy had his phone in “lockdown mode”, a recommendation Apple makes for users at high risk, including activists, journalists, and political dissidents in countries like Egypt.
Prior to that, attempts were also made beginning in May to hack Altantawy’s phone with Predator via links in text and WhatsApp messages that he would have to click on to become infected.
Once a phone is infected, the Predator spyware turns a smartphone into a remote eavesdropping device, allowing the attacker to siphon off data.
Researchers at Citizen Lab are certain the Egyptian government is behind the attacks given that Egypt is a known customer of Predator’s maker, Cytrox, and the spyware was delivered via network injection from Egyptian soil.
“It’s scary the fact that the government can essentially select anyone on Vodafone Egypt’s network and perhaps other networks for infections and they just flip a switch,” said Bill Marczak of Citizen Lab.
“The most likely scenario here is that, yes, there is this cooperation from Vodafone,” he added.
In 2021, Citizen Lab had previously determined that Altantawy was hacked by Predator.
The presidential candidate, also a former journalist, announced in March his bid to challenge el-Sisi in Egypt’s upcoming 2024 elections.
El-Sisi’s government has, since he came to power in 2014, been accused of a brutal crackdown against opposition politicians, human rights activists, and dissidents, including through tactics such as forced disappearances, torture, and long-term detentions without trial, according to activists.
Altantawy, his family members, and his supporters complained about being harassed, which prompted him to ask Citizen Lab researchers to analyse his phone for potential hacking attempts.