Angolan Journalist’s iPhone Compromised by Intellexa’s Predator Spyware
In a recent revelation, Amnesty International has uncovered that a government client of the sanctioned spyware manufacturer Intellexa infiltrated the iPhone of Teixeira Cândido, a prominent journalist and advocate for press freedom in Angola. This incident underscores the escalating use of sophisticated surveillance tools against members of civil society.
Throughout 2024, Cândido received multiple malicious links via WhatsApp. Upon clicking one of these links, his device was infected with Intellexa’s spyware, known as Predator. Amnesty International’s analysis identified forensic evidence linking the intrusion to Intellexa, including the use of infection servers previously associated with the company’s spyware infrastructure.
This case highlights a troubling trend where governments deploy commercial surveillance tools to monitor journalists, politicians, and dissenting voices. Similar abuses of Predator spyware have been documented in countries such as Egypt, Greece, and Vietnam, where it was reportedly used to target U.S. officials via links on social media platforms.
Intellexa has faced significant scrutiny in recent years. Operating across various jurisdictions to circumvent export laws, the company has been described by U.S. officials as utilizing an opaque web of corporate entities to conceal its activities. In 2024, the U.S. government imposed sanctions on Intellexa, its founder Tal Dilian, and his business partner Sara Aleksandra Fayssal Hamou. Despite these measures, Intellexa’s operations have persisted, with reports indicating continued deployment of its spyware.
Amnesty International’s investigation revealed that Predator spyware maintains a low profile by masquerading as legitimate iOS system processes, thereby evading detection. In Cândido’s case, the spyware was removed when he rebooted his device several hours after the infection. The exact method by which the spyware exploited his iPhone remains unclear, particularly since his device was running an outdated version of iOS at the time.
The organization also discovered multiple domains linked to Intellexa’s spyware infrastructure in Angola, suggesting that Cândido may not be the sole target. The earliest deployment of these domains dates back to March 2023, indicating that Predator testing or deployment in the country began around that time. However, Amnesty International has not been able to conclusively identify the specific customer responsible for the attack on Cândido.
Further complicating the situation, leaked internal documents have shown that Intellexa employees had the capability to remotely access customers’ surveillance systems. This access potentially allowed the company to view data collected from individuals targeted by its spyware, raising significant concerns about privacy and security.
Despite facing sanctions and public condemnation, Intellexa continues to operate actively. Donncha Ó Cearbhaill, head of Amnesty International’s security lab, stated, We’ve now seen confirmed abuses in Angola, Egypt, Pakistan, Greece, and beyond — and for every case we uncover, many more abuses surely remain hidden.
This incident serves as a stark reminder of the pervasive threat posed by commercial spyware to journalists and activists worldwide. It underscores the urgent need for robust legal frameworks and international cooperation to regulate the use of such surveillance tools and protect individuals from unwarranted intrusion.
