A new report by Amnesty International and several media partners has revealed that a human rights lawyer in Pakistan’s Balochistan province was the apparent target of an attempted infection by Predator spyware. The attack was initiated through a suspicious link received on WhatsApp from an unknown number. Amnesty International has technically characterized the link as a “Predator attack attempt” because its technical behavior and specific characteristics were consistent with Predator’s previously observed “1-click infection links.” This marks the first known time a civil society member in Pakistan has been targeted by Intellexa’s powerful spyware. In response, Pakistan has publicly rejected the claims, stating that the allegations are without any basis.
The investigation’s findings are the result of a joint effort, published in collaboration with Israeli newspaper Haaretz, Greek news site Inside Story, and Swiss tech site Inside IT. The report is primarily based on a significant trove of leaked materials from the company, including internal documentation, sales and marketing literature, and training videos. These leaked documents provide rare insight into the clandestine operations and offerings of the mercenary surveillance firm.
Intellexa is the developer behind Predator, a powerful mercenary spyware tool designed to covertly and without the user’s knowledge harvest sensitive data from both Android and iOS mobile devices. It operates similarly to other high-profile spyware, such as the NSO Group’s Pegasus. The documents indicate that Predator has also been marketed to potential buyers under several other code names, including Helios, Nova, Green Arrow, and Red Arrow.
Predator attacks often exploit vulnerabilities, known as zero-days, in platforms like messaging apps to stealthily install the spyware. These exploits can be deployed via a zero-click method (requiring no action from the target) or, as in the lawyer’s case, a 1-click approach, where the victim must open a malicious link to trigger the infection. If the target clicks the booby-trapped link, an exploit for either Google Chrome (on Android) or Apple Safari (on iOS) is loaded. This exploit gains the initial necessary access to the device and then downloads the main spyware payload.
Data from Google’s Threat Intelligence Group (GTIG) has connected Intellexa to the exploitation of numerous zero-day flaws, suggesting the company either develops them internally or purchases them from external brokers. These exploits target critical components, including the Android Runtime, the V8 JavaScript engine in Chrome, and various parts of the iOS kernel and security framework. One specific iOS zero-day exploit chain used against targets in Egypt in 2023 leveraged CVE-2023-41993 and a framework called JSKit for native code execution. GTIG also observed this exact exploit and framework being used by Russian government-backed hackers in an attack against Mongolian government websites, which raises the possibility that the sophisticated exploits are being sourced from a common third-party entity.
Reference:
