A massive leak of internal documents from surveillance firm Intellexa has unveiled alarming new details about its Predator spyware. The revelations expose the use of previously unknown zero-day vulnerabilities and a sophisticated new method of delivering the spyware through malicious online advertisements, bypassing traditional security measures.

Key Takeaways

• Intellexa's Predator spyware has exploited at least 15 zero-day vulnerabilities across Android, iOS, and Chrome.

• A new "Aladdin" system weaponizes the digital advertising ecosystem for "zero-click" spyware infections.

• Intellexa allegedly retained remote access to its government clients' surveillance systems.

• The spyware continues to be deployed globally despite international sanctions.

Zero-Day Exploitation and Advanced Delivery

Leaked documents, analyzed by Google's Threat Intelligence Group and Amnesty International, indicate that Intellexa has been highly prolific in exploiting zero-day vulnerabilities. Since 2021, the company has been linked to 15 such exploits, representing a significant portion of all zero-days discovered by Google during that period. These exploits target critical flaws in Android Runtime, Google Chrome's V8 engine, and Apple's WebKit, enabling capabilities like remote code execution, sandbox escapes, and privilege escalation.

The "Aladdin" Ad-Based Attack Vector

One of the most significant revelations is the "Aladdin" system, which leverages the commercial mobile advertising ecosystem. This method allows Predator spyware to be delivered through malicious digital advertisements embedded in legitimate websites and mobile applications. The attack is a true "zero-click" exploit, meaning it can infect a target's device simply by viewing the ad, without any user interaction. Intellexa reportedly uses targets' public IP addresses or other identifiers to ensure these weaponized ads are served to specific individuals.

Unprecedented Access and Global Operations

Further disturbing findings suggest that Intellexa employees retained remote access capabilities to the surveillance systems of their government clients, even those considered "air-gapped." Using tools like TeamViewer, Intellexa staff could allegedly view operational dashboards and access sensitive surveillance data. This practice contradicts claims made by other spyware vendors and raises serious questions about legal liability in cases of misuse.

Despite facing U.S. sanctions and ongoing investigations in various countries, Intellexa continues to operate globally. Recent reports indicate Predator spyware has been deployed against targets in Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, and Saudi Arabia. The spyware has been used in attacks against human rights lawyers and journalists, highlighting its use against civil society.

Mitigation and Future Concerns

While the vulnerabilities exploited by Intellexa have largely been patched by the respective vendors, the continuous development of sophisticated spyware and novel delivery methods by companies like Intellexa poses an ongoing threat. Users are advised to keep their devices updated, enable advanced security features like Lockdown Mode on iOS and Advanced Protection on Android, and be cautious of suspicious links and messages. The advertising industry, platform vendors, and regulators are urged to take action to counter the weaponization of the ad ecosystem for surveillance purposes.

Sources

• Intellexa Leaks Reveal Zero-Days and Ads-Based Vector for Predator Spyware Delivery, The Hacker News.

• Predator spyware uses new infection vector for zero-click attacks, BleepingComputer.

• Intellexa Predator spyware infects phones via ads and 2G exploits, CyberInsider.

• Intellexa Exploited 15 Zero-Days, Infiltrated Ad Networks to Deploy Predator, Cyber Kendra.