Apple and Google have delivered a new round of threat notifications to users in over 150 countries — including Egypt and Saudi Arabia — after detecting attempts to infiltrate devices with sophisticated spyware allegedly created by malicious actors, often linked to governments or state-backed groups. Apple declared that the newest round of alerts was sent on December 2, but the company did not disclose how many users were targeted or which attackers were suspected. It said that “to date we have notified users in over 150 countries in total.”
A day after Apple issued its warnings, Google released its own set of alerts, this time connected to the Israeli spyware Intellexa. Google’s Threat Intelligence Group (GTIG) reported that Intellexa continues to function despite being sanctioned by the United States in 2024 and increased industry scrutiny, stating that the group is “evading restrictions and thriving.” It added that the latest round of alerts targeted “several hundred accounts across various countries, including Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan.”
These users were reportedly targeted with spyware linked to Intellexa’s well-documented exploit chains — sophisticated hacking tools built to penetrate modern smartphones by exploiting previously unknown vulnerabilities. The spyware vendor is responsible for at least 15 of the 70 zero-day exploits documented by GTIG and its predecessor, Google’s Threat Analysis Group (TAG), since 2021.
Intellexa’s Spyware Tools Continue to Evolve
Google said it had identified the companies Intellexa set up to penetrate advertising ecosystems, and partners have since shut down those accounts. The company highlighted one factor that distinguishes Intellexa from other actors: it revealed that Intellexa has established itself as one of the — if not the — most prolific spyware vendors leveraging zero-day vulnerabilities in mobile browsers. “Intellexa has adapted, evaded restrictions, and continues selling digital weapons to the highest bidders,” it said.
GTIG stated that its research on Intellexa spans several years, revealing that the vendor specializes in zero-day vulnerabilities targeting Safari, Chrome’s V8 engine, and other mobile components. While many of these flaws have been patched, GTIG warns that Intellexa continues to discover new methods to exploit emerging vulnerabilities. “Despite the consistent efforts of security researchers and platform vendors to identify and patch these flaws, Intellexa repeatedly demonstrates an ability to procure or develop new zero-day exploits, quickly adapting and continuing operations for their customers,” it said.
What Is Intellexa?
Intellexa is considered the largest Israeli offensive cyber company operating beyond Israel and the distributor of the Predator spyware. It was founded by Tal Dilian, a former senior Military Intelligence officer and a pioneer in the digital surveillance industry, an investigation by Haaretz revealed last year.
In 2024, the U.S. government imposed sanctions on Tal Dilian and his business partner, Sara Aleksandra Fayssal Hamou. The U.S. Treasury cited allegations that Intellexa’s spyware had been deployed against Americans, including government officials, journalists, and policy experts.
Meanwhile, Intellexa’s spyware products continued to operate successfully despite extensive U.S. sanctions, a months-long investigation published by Israeli newspaper Haaretz, Inside Story in Greece, and WAV Research Collective in Switzerland, in technical collaboration with Amnesty’s Security Lab, dubbed “Intellexa Leaks,” reveals.
Predator is among the most invasive spyware tools, according to leaked materials from Intellexa, including internal company documents, sales and marketing material, and training videos. If successfully installed on a smartphone, Predator can compromise the latest Apple and Google mobile operating systems, extract all data from the device, including messages and calls, remotely activate the microphone and camera, and access other services used by the user.
The nonprofit researchers reported that the leaked video appears to show “live” Predator infection attempts “against real targets,” citing detailed information “from at least one infection attempt against a target in Kazakhstan.” The footage included the infection URL, the target’s IP address, and the software versions running on the target’s phone.
The “Intellexa Leaks” investigation also uncovered new details about the operations of the U.S.-sanctioned company. Investigators found that Intellexa was using malicious mobile advertisements, dubbed “Aladdin,” as a method to infect its targets. The method, revealed last year by Haaretz and Inside Story, exploits the commercial mobile advertising ecosystem to deliver infections. Amnesty characterizes the attack chain as “technically complex to implement” but “conceptually simple.”
“The Aladdin system infects the target’s phone by forcing a malicious advertisement created by the attacker to be shown on the target’s phone. This malicious ad could be served on any website which displays ads, such as a trusted news website or mobile app, and would appear like any other ad that the target is likely to see. Internal company materials explain that simply viewing the advertisement is enough to trigger the infection on the target’s device, without any need to click on the advertisement itself,” the Amnesty report reads.
New Intellexa-Linked Entities Revealed
Recorded Future’s Insikt Group, meanwhile, published research on individuals and states connected to Intellexa. Its research shows that Aladdin is already active and manages to track live infrastructure on a network exploiting the “advertising ecosystem” as a new infection vector through two “advertising companies” set up in Dubai’s free-trade zone. These companies share features — such as owners, directors, network details, and phone numbers — with entities previously tied to the Intellexa consortium.
Recorded Future’s report found that these companies were involved in far more than creating the infrastructure for the advertising-based infection system; several other Intellexa-linked entities registered in the UAE were also part of the consortium’s supply chain, including Pulse FZCO in Dubai’s free-trade zone, which was used to handle logistics and equipment shipments.
A corporate mapping of Intellexa conducted by the anti–sanction-evasion OSINT firm FIND, at Haaretz’s request, revealed that shares once owned by Dilian in an Israeli company were transferred in May 2024 to another firm registered in an Abu Dhabi free-trade zone — an area that has increasingly become a tax and regulatory haven for companies in numerous sectors, including intelligence firms.
In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.
Other findings, according to Amnesty, include confirmation that Predator domains were mimicking legitimate Kazakhstani news sites, along with further evidence connecting Predator spyware to the surveillance of prominent Egyptian political activist Ayman Nour and Greek investigative journalist Thanasis Koukakis. The Intellexa data analyzed during the investigation also indicated evidence that clients based in Egypt and Saudi Arabia remain active.
Additionally, the news outlets reported Pakistan’s first known Predator infection, targeting a human rights lawyer, along with further instances of targeting in the country.
Growing Pressure on the Global Spyware Industry
Even though Apple and Google did not identify the individuals being targeted, previous investigations by international watchdogs such as Citizen Lab and Amnesty International show that those most often affected tend to be high-risk groups — notably human rights defenders, journalists, and political figures.
“The fact that, at least in some cases, Intellexa appears to have retained the capability to remotely access Predator customer logs — allowing company staff to see details of surveillance operations and targeted individuals — raises questions about its own human rights due diligence processes,” Jurre van Bergen, technologist at Amnesty International Security Lab, said in a news release.
“If a mercenary spyware company is found to be directly involved in the operation of its product, then by human rights standards, it could potentially leave them open to claims of liability in cases of misuse and if any human rights abuses are caused by the use of spyware,” he continued.
Read More
European Commission Fines X €120 Million for Fraud and Digital Manipulation
Investigation Reveals Deepfakes of Health Professionals Pushing Supplements
Read More
Most Read
Report a Claim
Alert the Misbar team about false news, rumors or stories that need verification, or request clarification.
Follow us on social media
