If you think an adblocker is optional, think again. Simply loading a single advertisement on any legitimate website or app was enough to secretly plant Intellexa’s Predator, one of the most advanced commercial spyware tools, linked to human rights abuses across many countries.
Intellexa is a notorious Irish mercenary spyware company. It continues to operate despite being blacklisted by the US authorities for targeting Americans, including government officials, journalists, and policy experts.
Leaked documents unveil that Intellexa has developed and been using tech that enables zero-click phone compromise of the victims targeted by its clients, according to the report by the Amnesty International and other media publications.
Moreover, the spyware firm itself retained remote access to governmental customers systems and, respectively, to “those subject to targeted surveillance attacks by governments.”
The report details new evidence that the Predator spyware is being actively used in Pakistan, and confirms “specific cases of surveillance abuses previously found in Greece and Egypt.”
“This investigation provides one of the clearest and most damning views yet into Intellexa’s internal operations and technology,” said Jurre van Bergen, Technologist at Amnesty International’s Security Lab.
The leak consists of Intellexa’s highly sensitive documents and other data, including internal company documents, sales and marketing material, as well as training videos.
Compromise via advertising ecosystems
The leak unveils that Intellexa has developed zero click capability to silently infect victims anywhere in the world.
Dubbed “Aladdin,” the system would force a malicious ad to the target, based on device IP. The infection through advertisement was advertised to work on both Android and iOS devices.
“This malicious ad could be served on any website which displays ads, such as a trusted news website or mobile app, and would appear like any other ad that the target is likely to see,” Amnesty said.
“Simply viewing the advertisement is enough to trigger the infection on the target’s device, without any need to click on the advertisement itself.”
The targets could be identified by many previous identifiers, such as their advertising ID, email address, geolocation, or an IP address.
Intellexa is not the only one developing such ad-delivered exploits, and other mercenary spyware companies, and likely state sponsored actors, are doing that as well.
And Alladin is not the only entry point. Intellexa had been mostly relying on many other zero-days and exploits to get in.
“Intellexa’s Predator relies, almost exclusively, on so-called “1-click” attacks to infect a device, which require a malicious link to be opened in the target’s phone,” Amnesty International said. “The malicious link then loads a browser exploit for Chrome (on Android) or Safari (on iOS) to gain initial access to the device and download the full spyware payload.”
Some vectors were “network injection systems” which require cooperation between the customers and the internet service provider (ISP) used by the target. Intellexa also used device-specific exploit to targed Samsung Exynos devices.
Google Threat Intelligence Group (GTIG) has analyzed the full iOS zero-day exploit chain used by Intellexa against targets in Egypt and believes the exploit was acquired from other government-backed attackers, as they were already used by Russian state-sponsored attackers against the Mongolian government.
“Intellexa is responsible for a substantial number of the zero-day vulnerabilities identified over the years,” GTIG said.
Since 2021, Intellexa accounts for 15 unique zero-days, including Remote Code Execution (RCE), Sandbox Escape (SBX), and Local Privilege Escalation (LPE) vulnerabilities.
Once the spyware is installed, it grants nearly complete access. Intellexa’s marketing material boasts of extensive capabilities: it can access encrypted messaging apps, such as Signal or Whatsapp, audio recording, email, camera, microphone and other sensors, device location, stored passwords, contacts, etc.
Peeking throught the clients’ peephole?
Another striking revelation is that Intellexa retained the capabilities to remotely access surveillance systems used by its clients, even when hosted on premises in government facilities. The staff allegedly used widely popular remote-desktop software TeamViewer.
The leaked training video “suggests that Intellexa staff also had potential access to the most sensitive parts of the customer’s Predator system, including the Predator dashboard and other internal services used to view and store raw surveillance data gathered from targets of the spyware,” the report reads.
This access allowed the spyware firm’s employees to view the full Predator dashboard, containing callected raw surveillance data, such as messages, photos, location, and other logs.
Potential surveillance victims had their data exposed to both the customer and the spyware company.
“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” said Jurre van Bergen.
The leak exposed large parts of Intellexa’s infrastructure, such as domains used for internal services, including API servers, and other indicators of compromise. The discovered domains imitated legitimate Kazakhstani news websites.
Amnesty International compared the leaked documents to “Rosetta-stone,” providing forensic evidence, such as matching configuration options, filenames, encryption keys, and other IOCs that help track suspected Predator spyware attacks.
The persistent use of this spyware highlights a growing threat to journalists, human-rights defenders, global civil society, and other vulnerable people.
Unlock exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked