Intellexa is a well-known commercial spyware vendor, servicing governments and large corporations. Its main product is the Predator spyware.
An investigation by several independent parties describes Intellexa as one of the most notorious mercenary spyware vendors, still operating its Predator platform and hitting new targets even after being placed on US sanctions lists and being under active investigation in Greece.
The investigation draws on highly sensitive documents and other materials leaked from the company, including internal records, sales and marketing material, and training videos. Amnesty International researchers reviewed the material to verify the evidence.
To me, the most interesting part is Intellexa’s continuous use of zero-days against mobile browsers. Google’s Threat Analysis Group (TAG) posted a blog about that, including a list of 15 unique zero-days.
Intellexa can afford to buy and burn zero-day vulnerabilities. They buy them from hackers and use them until the bugs are discovered and patched–at which point they are “burned” because they no longer work against updated systems.
The price for such vulnerabilities depends on the targeted device or application and the impact of exploitation. For example, you can expect to pay in the range of $100,000 to $300,000 for a robust, weaponized Remote Code Excecution (RCE) exploit against Chrome with sandbox bypass suitable for reliable, at‑scale deployment in a mercenary spyware platform. And in 2019, zero-day exploit broker Zerodium offered millions for zero-click full chain exploits with persistence against Android and iPhones.
Which is why only governments and well-resourced organizations can afford to hire Intellexa to spy on the people they’re interested in.
The Google TAG blog states:
“Partnering with our colleagues at CitizenLab in 2023, we captured a full iOS zero-day exploit chain used in the wild against targets in Egypt. Developed by Intellexa, this exploit chain was used to install spyware publicly known as Predator surreptitiously onto a device.”
To slow down the “burn” rate of its exploits, Intellexa delivers one-time links directly to targets through end-to-end encrypted messaging apps. This is a common method: last year we reported how the NSO Group was ordered to hand over the code for Pegasus and other spyware products that were used to spy on WhatsApp users.
The fewer people who see an exploit link, the harder it is for researchers to capture and analyze it. Intellexa also uses malicious ads on third-party platforms to fingerprint visitors and redirect those who match its target profiles to its exploit delivery servers.
This zero-click infection mechanism, dubbed “Aladdin,” is believed to still be operational and actively developed. It leverages the commercial mobile advertising system to deliver malware. That means a malicious ad could appear on any website that serves ads, such as a trusted news website or mobile app, and look completely ordinary. If you’re not in the target group, nothing happens. If you are, simply viewing the ad is enough to trigger the infection on your device, no need to click.
Image courtesy of Amnesty International
How to stay safe
While most of us will probably never have to worry about being in the target group, there are still practical steps you can take:
- Use an ad blocker. Malwarebytes Browser Guard is a good start. Did I mention it’s a free browser extension that works on Chrome, Firefox, Edge, and Safari? And it should work on most other Chromium based browsers (I even use it on Comet).
- Keep your software updated. When it comes to zero-days, updating your software only helps after researchers discover the vulnerabilities. However, once the flaws become public, less sophisticated cybercriminals often start exploiting them, so patching remains essential to block these more common attacks.
- Use a real-time anti-malware solution on your devices.
- Don’t open unsolicited messages from unknown senders. Opening them could be enough to start a compromise of your device.
We don’t just report on phone security—we provide it
Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.