One or more Malagasy security services have very likely acquired a license for Predator spyware, raising fears of use of this powerful surveillance tool for political purposes. The outgoing president, Andry Rajoelina, is one of thirteen candidates in the presidential election whose first round is due to take place on November 9, in a tense context.
An analysis carried out by researchers at the IT security company Sekoia, published on October 2, shows that several malicious websites were set up between April and August 2023, targeting potential Malagasy targets. Sekoia identified several servers using a very specific configuration of a Predator infection method and hosting at least two sites impersonating well-known Malagasy media outlets, L’Express de Madagascar and Midi Madagasikara, as well as several sites presenting themselves as pro-Rajoelina political blogs, such as Soutien à Rajoelina or Emergence Mada.
In most cases, Predator – less known than the famous Pegasus software – cannot be installed on a phone without action by its owner. The user must click on a link leading to a malicious site. Once present in the phone, Predator allows you to suck up messaging data, listen to telephone conversations or even geolocate the device permanently. Traces of infection with this software were recently found in the phone of former Egyptian MP and presidential candidate Ahmed Al-Tantawi.
Predator is published by a company belonging to the Intellexa consortium, specializing in surveillance tools and headed by a former Mossad agent living in Cyprus, Tal Dilian. In July, Intellexa was placed on a “blacklist” by the US Commerce Department, effectively banning US companies from buying or selling products from the group. The latter is also at the heart of several surveillance scandals, including in Europe. By 2022, the spyware had been found in phones of Greek journalists and politicians.
Uncertain goal
Madagascar was already on a list of “probable customers” for Predator established in 2021 by the university and multidisciplinary laboratory Citizen Lab, in Toronto, specializing in spyware detection. The information was then taken up by the American daily The New York Times.
Analysis of malicious sites leads Sekoia to say that it is “plausible that government services – police or intelligence services – acquired a Predator license to engage in political surveillance activities, a few months before the presidential election “. However, the company has not been able to observe active use of the infection system and therefore cannot know with certainty whether Malagasy phones have been infected this way.
Malicious sites created to infect phones usually present themselves as neutral, imitating media or academic sites. The presence of fake sites dedicated to Andry Rajoelina within the infrastructure detected by Sekoia is therefore quite surprising, and could suggest that the users of the spyware also sought to target personalities belonging to the entourage of the head of state. State or its party. But, in the absence of phone analyzes to document infections, it is impossible to say this.
