Predator spyware can suppress iOS camera and mic indicators after full device compromise, researchers say.
The post iPhone Privacy Alert: Predator Spyware Can Hide Camera, Mic Indicators appeared first on TechRepublic.
Amnesty International reports that in May 2024, Intellexa’s Predator spyware infected the iPhone of Teixeira Cândido, an Angolan journalist and press freedom advocate, after he opened a malicious link sent via WhatsApp. This incident highlights how attackers actively target journalists for surveillance.
Predator is a powerful mobile spyware by Intellexa, sold to governments for surveillance. Investigations over five years documented abuses worldwide, despite Intellexa rebranding and shifting its corporate structure. The Angola case marks the first confirmed Predator attack there, showing the spyware remained active through 2025. Amnesty International and partners exposed Intellexa’s operations, but the responsible customers remain unknown.
Since 2022, Angolan journalist Teixeira Cândido faced multiple attacks and break-ins, raising suspicions of surveillance. From April to June 2024, an attacker posing as students sent him WhatsApp messages to gain his trust, eventually sending malicious links. On 4 May 2024, he clicked one link, infecting his iPhone with Intellexa’s Predator spyware. Once installed, the spyware gave attackers full access to his device, including messages, calls, emails, location, camera, microphone, passwords, and other sensitive data, illustrating a targeted and highly invasive surveillance operation.
“Through forensic analysis of the links and associated domain names, Amnesty International’s Security Lab determined with high confidence that all the links sent to Teixeira Cândido to this WhatsApp number were attempts to infect his phone with the Predator spyware. All infection domains matched a network fingerprint used to track Intellexa infection servers.” reads the report published by Amnesty International. “On 4 May 2024, one day after the first Predator infection link was received (Figure 4), Teixeira Cândido appears to have opened the infection link received, which would have resulted in the successful infection of the journalist’s phone with the Predator spyware.
On 4 May 2024, Amnesty International confirmed Predator spyware ran on Teixeira Cândido’s iPhone, executing from the directory /private/var/containers/Bundle/ under the name “iconservicesagent” to impersonate a system process.
His device ran the outdated iOS 16.2, potentially exposing it to known exploits, though Intellexa could also use zero-day vulnerabilities. The spyware remained active less than a day, but attackers sent 11 further malicious WhatsApp links through mid-June 2024. Forensic traces, network activity, and infection domains confirm this attack as Predator.
Amnesty International’s research shows Intellexa’s Predator spyware has targeted Angola since at least early 2023, with the attack on journalist Teixeira Cândido representing just part of broader activity. Predator communicates with spyware servers via domain names, many in Portuguese, revealing a regional focus. Technical analysis linked the domains used against Cândido to Predator, with earlier Angola-linked domains dating back to March 2023. Predator grants total access to devices, making independent audits nearly impossible.
Amnesty considers such spyware fundamentally incompatible with human rights. The Angola attack violates journalists’ rights to privacy and free expression, chilling civil society in a context of growing authoritarianism under President João Lourenço. Amnesty’s inquiries to Intellexa about its role and access to customer systems remain unanswered, raising concerns over the company’s legal and ethical responsibility in these abuses.
“While it remains unclear if Intellexa could access the specific Angolan deployment in 2024, the finding from Intellexa Leaks that the company had potential visibility into active surveillance operations of their customers, including seeing technical information about the targets, raises new legal questions about Intellexa’s role in relation to the spyware and the company’s potential legal or criminal responsibility for unlawful surveillance operations carried out using their products.” concludes the report. “This new case of spyware use against a journalist in Angola makes clear – yet again – that the unchecked sale and use of surveillance technologies continue to facilitate human rights abuses at a global scale. “
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Intellexa’s Predator spyware)
Intellexa is a well-known commercial spyware vendor, servicing governments and large corporations. Its main product is the Predator spyware.
An investigation by several independent parties describes Intellexa as one of the most notorious mercenary spyware vendors, still operating its Predator platform and hitting new targets even after being placed on US sanctions lists and being under active investigation in Greece.
The investigation draws on highly sensitive documents and other materials leaked from the company, including internal records, sales and marketing material, and training videos. Amnesty International researchers reviewed the material to verify the evidence.
To me, the most interesting part is Intellexa’s continuous use of zero-days against mobile browsers. Google’s Threat Analysis Group (TAG) posted a blog about that, including a list of 15 unique zero-days.
Intellexa can afford to buy and burn zero-day vulnerabilities. They buy them from hackers and use them until the bugs are discovered and patched–at which point they are “burned” because they no longer work against updated systems.
The price for such vulnerabilities depends on the targeted device or application and the impact of exploitation. For example, you can expect to pay in the range of $100,000 to $300,000 for a robust, weaponized Remote Code Excecution (RCE) exploit against Chrome with sandbox bypass suitable for reliable, at‑scale deployment in a mercenary spyware platform. And in 2019, zero-day exploit broker Zerodium offered millions for zero-click full chain exploits with persistence against Android and iPhones.
Which is why only governments and well-resourced organizations can afford to hire Intellexa to spy on the people they’re interested in.
The Google TAG blog states:
“Partnering with our colleagues at CitizenLab in 2023, we captured a full iOS zero-day exploit chain used in the wild against targets in Egypt. Developed by Intellexa, this exploit chain was used to install spyware publicly known as Predator surreptitiously onto a device.”
To slow down the “burn” rate of its exploits, Intellexa delivers one-time links directly to targets through end-to-end encrypted messaging apps. This is a common method: last year we reported how the NSO Group was ordered to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.
The fewer people who see an exploit link, the harder it is for researchers to capture and analyze it. Intellexa also uses malicious ads on third-party platforms to fingerprint visitors and redirect those who match its target profiles to its exploit delivery servers.
This zero-click infection mechanism, dubbed “Aladdin,” is believed to still be operational and actively developed. It leverages the commercial mobile advertising system to deliver malware. That means a malicious ad could appear on any website that serves ads, such as a trusted news website or mobile app, and look completely ordinary. If you’re not in the target group, nothing happens. If you are, simply viewing the ad is enough to trigger the infection on your device, no need to click.
While most of us will probably never have to worry about being in the target group, there are still practical steps you can take:
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.
Entrar