Intellexa’s Predator Spyware Exploits 15 Zero-Day Vulnerabilities to Target iOS Users
Since 2021, Intellexa, the developer behind the notorious Predator spyware, has exploited 15 zero-day vulnerabilities to infiltrate iOS and Android devices globally. Despite facing sanctions from the U.S. government, Intellexa’s operations persist, with recent attacks identified in countries such as Saudi Arabia, Pakistan, and Egypt.
Intellexa’s Exploitation of Zero-Day Vulnerabilities
Intellexa has emerged as a prominent player in the commercial spyware industry, particularly in exploiting zero-day vulnerabilities within mobile browsers. These vulnerabilities are critical security flaws unknown to the software vendor, leaving devices susceptible to attacks until patches are developed and deployed. Intellexa’s strategy involves targeting both iOS and Android platforms through concealed links sent via encrypted messaging applications.
Out of approximately 70 zero-day vulnerabilities discovered since 2021, Intellexa is responsible for 15 unique exploits. These include Remote Code Execution (RCE), Sandbox Escape, and Local Privilege Escalation vulnerabilities. All affected vendors have since released patches to address these security issues.
Insights from Google Cloud Security Researchers
Google Cloud’s security team has conducted extensive analyses, revealing that Intellexa often acquires exploit chains from external sources rather than developing them internally. This approach enables the company to swiftly adapt to new security patches and maintain the effectiveness of their spyware. Operating through front organizations to evade detection, Intellexa continues to serve clients worldwide, undeterred by international sanctions.
The Three-Stage Attack Process
Intellexa’s method of compromising devices involves a sophisticated three-stage process:
1. Initial Exploitation: The attack begins with exploiting a vulnerability in the Safari browser, such as CVE-2023-41993. This exploit utilizes a framework called JSKit to achieve memory read and write access. JSKit has been employed in multiple campaigns since 2021, including those by state-sponsored groups. Its well-maintained codebase supports various iOS versions, enhancing its versatility.
2. Sandbox Escape: The second stage involves breaking out of the Safari sandbox using kernel vulnerabilities like CVE-2023-41991 and CVE-2023-41992. This step grants kernel memory access to the final payload, setting the stage for full device compromise.
3. Payload Deployment: The final stage deploys two modules named helper and watcher. The watcher module monitors the infected device for signs of detection, such as developer mode activation, console attachments, security tools, and custom network configurations. If it detects locales like the U.S. or Israel, or security applications such as McAfee or Norton, it terminates the attack to avoid exposure.
Infection Mechanism and Stealth Capabilities
The helper module provides core spyware functionalities through custom hooking frameworks named DMHooker and UMHooker. These frameworks enable the recording of voice calls, which are stored as `/private/var/tmp/l/voip_%lu_%u_PART.m4a`, capture keystrokes, and take photos using the device’s camera. Additionally, the module hooks into SpringBoard to suppress notification alerts from these activities, enhancing the spyware’s stealth.
Compilation artifacts reveal the build path as `/Users/gitlab_ci_2/builds/jbSFKQv5/0/roe/ios16.5-smackjs8-production/`, confirming internal tracking names and providing insight into Intellexa’s development processes.
Intellexa’s Zero-Day Vulnerabilities (2021-2025):
| CVE Identifier | Vulnerability Type | Vendor | Affected Product |
|—————-|——————————|——–|——————|
| CVE-2025-48543 | Sandbox Escape + LPE | Google | Android |
| CVE-2025-6554 | Remote Code Execution | Google | Chrome |
| CVE-2023-41993 | Remote Code Execution | Apple | iOS |
| CVE-2023-41992 | Sandbox Escape + LPE | Apple | iOS |
| CVE-2023-41991 | Local Privilege Escalation | Apple | iOS |
| CVE-2024-4610 | Local Privilege Escalation | ARM | Mali |
| CVE-2023-4762 | Remote Code Execution | Google | Chrome |
| CVE-2023-3079 | Remote Code Execution | Google | Chrome |
| CVE-2023-2136 | Sandbox Escape | Google | Skia |
| CVE-2023-2033 | Remote Code Execution | Google | Chrome |
| CVE-2021-38003 | Remote Code Execution | Google | Chrome |
| CVE-2021-38000 | Remote Code Execution | Google | Chrome |
| CVE-2021-37976 | Sandbox Escape | Google | Chrome |
| CVE-2021-37973 | Sandbox Escape | Google | Chrome |
| CVE-2021-1048 | Sandbox Escape + LPE | Google | Android |
Implications and Recommendations
The persistent activities of Intellexa underscore the evolving threats posed by commercial spyware vendors. Their ability to exploit zero-day vulnerabilities and adapt to security patches highlights the need for continuous vigilance and proactive security measures.
Recommendations for Users:
– Regular Software Updates: Ensure that all devices are updated with the latest security patches to mitigate known vulnerabilities.
– Exercise Caution with Links: Be wary of clicking on links received through encrypted messaging apps, especially from unknown sources.
– Install Reputable Security Software: Utilize trusted security applications to detect and prevent spyware infections.
– Monitor Device Behavior: Stay alert to unusual device behavior, such as unexpected battery drain or performance issues, which may indicate a compromise.
By adopting these practices, users can enhance their defenses against sophisticated spyware threats like those posed by Intellexa’s Predator.
