Intellexa Spyware Firm Thrives Despite US Sanctions

A commercial surveillance vendor sanctioned by the United States Government continues to operate and sell sophisticated spyware to governments worldwide. Intellexa, the company behind Predator spyware, has adapted its operations to evade restrictions while maintaining a prolific business in digital weapons.

Google Threat Intelligence Group analysis reveals that Intellexa has become one of the most active exploiters of zero-day vulnerabilities targeting mobile devices. Since 2021, the company accounts for 15 unique zero-day vulnerabilities out of approximately 70 discovered by security researchers. These exploits include remote code execution, sandbox escape, and privilege escalation flaws affecting both iOS and Android devices. All identified vulnerabilities have been patched by their respective vendors.

The spyware vendor demonstrates a consistent ability to obtain or develop new zero-day exploits rapidly. Evidence suggests Intellexa purchases components of exploit chains from external entities rather than developing all tools internally. The company has targeted vulnerabilities in Google Chrome, Apple iOS, Android systems, and various hardware components including ARM Mali processors.

In 2023, security researchers captured a complete iOS exploit chain used against targets in Egypt. The sophisticated attack, internally named smack by Intellexa, installed Predator spyware on devices without user knowledge. The exploit utilized a framework called JSKit that researchers had previously observed in attacks by Russian government-backed actors and other surveillance vendors. This framework supports multiple iOS versions and employs advanced techniques to execute malicious code on modern Apple devices.

The captured exploit chain operates in multiple stages. The first stage exploits Safari browser vulnerabilities to gain initial access. The second stage breaks out of the Safari sandbox using kernel vulnerabilities to achieve system-level privileges. The final stage, tracked as PREYHUNTER, monitors the infected device and prevents detection. This component checks for security tools, developer mode, antivirus software, and suspicious network configurations. If threats are detected, the exploitation process terminates automatically.

PREYHUNTER includes capabilities for recording voice calls, logging keystrokes, and capturing photos from device cameras. The malware can hook into system processes to hide notifications that might alert users to surveillance activities. Security researchers assess these features serve as validation tools before deploying the full Predator spyware suite.

Intellexa primarily delivers exploits through one-time links sent via encrypted messaging applications. However, the company has recently expanded tactics to include malicious advertisements on third-party platforms. These ads fingerprint users and redirect specific targets to exploit delivery servers. Google identified and worked with advertising partners to shut down accounts created by Intellexa front companies to infiltrate the advertising ecosystem.

The spyware operations have targeted individuals across multiple countries. Google is delivering government-backed attack warnings to several hundred accounts associated with Intellexa customers since 2023. Affected users span Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan. The warnings aim to inform at-risk individuals about sophisticated surveillance threats.

International efforts to address commercial spyware proliferation have gained momentum. Google participates in the Pall Mall Process, an international initiative developing norms and frameworks to limit spyware misuse and protect human rights. These efforts build on earlier actions by the United States Government to restrict official use of commercial spyware that poses national security risks.

Google has added all identified Intellexa websites and domains to Safe Browsing protections to prevent further exploitation. The company emphasizes the importance of applying security patches promptly and maintaining fully updated software. Security researchers continue monitoring for zero-day exploitation and report newly discovered vulnerabilities to vendors immediately upon detection.