Industrial Scale Operation Behind Predator Mobile Spyware Revealed

October 9, 2023

A recent investigation by Amnesty International's Security Labs and the European Investigative Collaboration (EIC) media network has shed light on the extensive commercial operation behind the surge in Predator spyware. The operation trades in surveillance activities on an industrial scale. The findings were presented in a report titled the Predator Files, which primarily focuses on Intellexa, an alliance of intelligence systems providers. Intellexa has been identified by the US Commerce Department and others as the main distributor of Predator, a mobile surveillance tool targeted at Android and iOS devices.

The report reveals Intellexa's use of a wide array of supporting products from alliance partners to intercept and subvert mobile networks and Wi-Fi technologies, sometimes in collaboration with Internet service providers (ISPs). These products have been discovered in at least 25 countries across Europe, Asia, the Middle East, and Africa. They have been utilized to undermine human rights, press freedom, and social movements worldwide. Amnesty International stated, 'The 'Predator Files' investigation shows what we have long feared: that highly invasive surveillance products are being traded on a near industrial scale and are free to operate in the shadows without oversight or any genuine accountability.'

Google's Threat Analysis Group released a report in September, detailing how Intellexa developed an exploit chain for three iOS zero-day vulnerabilities, which were later used in an attack on Egyptian organizations. The Predator spyware has capabilities to extract practically everything and listen to everything on a target device. Recently, the government of Madagascar was reported to have used the Predator tool on mobile devices of targeted individuals.

The report by Amnesty International highlights five technologies that Intellexa has employed over the years to assist its government and law enforcement clients in silently installing Predator on mobile devices of interest. These technologies include Mars, a network injection system installed at mobile ISP locations, and Jupiter, an add-on product to Mars used for network injection into encrypted HTTPS traffic.

Concerns over Intellexa's operations led the US State Department to list Intellexa, Cytrox AD (the maker of Predator), and two other alliance members as entities that pose a risk to US national security. Microsoft's recent digital defense report also mentions the emerging threat to organizations from cyber mercenary groups like Intellexa. The report describes them as private sector offensive actors, supplying nation states with technical capabilities to carry out destructive actions. The sector is seen as a gray area that is expected to continue to evolve and grow due to the potential for significant financial gain.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.