A commercial spyware company called Intellexa has exploited 15 zero-day vulnerabilities since 2021 to target iOS and Android users worldwide.
The company, known for developing the Predator spyware, continues operations despite being sanctioned by the US government.
The threats remain active across multiple countries, with recent attacks detected in Saudi Arabia, Pakistan, Egypt, and other nations.
Intellexa has become one of the most active spyware companies exploiting zero-day vulnerabilities in mobile browsers.
The attacks target both iOS and Android devices through hidden links sent via encrypted messaging apps. Out of roughly 70 zero-day vulnerabilities discovered since 2021, Intellexa accounts for 15 unique exploits.
These include Remote Code Execution, Sandbox Escape, and Local Privilege Escalation vulnerabilities. All affected vendors have now patched these security flaws.
Google Cloud security researchers identified Intellexa’s continued activities through extensive threat analysis.
The research revealed that Intellexa purchases exploit chains from external sources rather than developing all tools internally. This approach allows the company to quickly adapt when security patches are released.
The company operates through front organizations to avoid detection and continues serving customers worldwide despite international sanctions.
The spyware uses a three-stage attack process to compromise devices. In one documented case from Egypt, Intellexa deployed an exploit chain internally named “smack” to install Predator spyware on iOS devices.
.webp "Predator Spyware Compamy Used 15 Zero-Days Since 2021 to Target iOS Users 3")
Sesting and validating shellcode execution (Source – Google Cloud)
The attack started with a Safari browser vulnerability tracked as CVE-2023-41993. The exploit used a framework called JSKit to achieve memory read and write access.
This framework has appeared in multiple campaigns since 2021, including attacks by Russian government-backed groups.
Code analysis shows the framework is well-maintained and supports various iOS versions.
Infection Mechanism and Stealth Capabilities
The second stage breaks out of the Safari sandbox using kernel vulnerabilities CVE-2023-41991 and CVE-2023-41992.
This stage provides kernel memory access to the third-stage payload. The final stage includes two modules called helper and watcher.
The watcher module monitors the infected device for suspicious activity. It checks for developer mode, console attachments, security tools, and custom network configurations.
If it detects US or Israel locales, security apps like McAfee or Norton, or debugging tools like Frida or SSH, it terminates the attack.
Intellexa Zero-Day Vulnerabilities (2021-2025):-
| CVE | Vulnerability Type | Vendor | Affected Product |
|---|---|---|---|
| CVE-2025-48543 | SBX+LPE | Android | |
| CVE-2025-6554 | RCE | Chrome | |
| CVE-2023-41993 | RCE | Apple | iOS |
| CVE-2023-41992 | SBX+LPE | Apple | iOS |
| CVE-2023-41991 | LPE | Apple | iOS |
| CVE-2024-4610 | LPE | ARM | Mali |
| CVE-2023-4762 | RCE | Chrome | |
| CVE-2023-3079 | RCE | Chrome | |
| CVE-2023-2136 | SBX | Skia | |
| CVE-2023-2033 | RCE | Chrome | |
| CVE-2021-38003 | RCE | Chrome | |
| CVE-2021-38000 | RCE | Chrome | |
| CVE-2021-37976 | SBX | Chrome | |
| CVE-2021-37973 | SBX | Chrome | |
| CVE-2021-1048 | SBX+LPE | Android |
The helper module provides basic spyware functions through custom hooking frameworks named DMHooker and UMHooker.
These allow recording of voice calls, which are stored as /private/var/tmp/l/voip_%lu_%u_PART.m4a, capturing keystrokes, and taking photos from the camera.
The module also hooks into SpringBoard to hide notification alerts from these actions.
Compilation artifacts show the build path as /Users/gitlab_ci_2/builds/jbSFKQv5/0/roe/ios16.5-smackjs8-production/, confirming internal tracking names.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
