A sophisticated new iOS zero-day exploit chain has been identified, leveraging multiple previously unknown vulnerabilities. This chain, attributed to the mercenary spyware vendor Intellexa, enables discreet device surveillance of high-risk individuals, including civil society members and political targets. The operation highlights the ongoing use of advanced exploitation techniques, particularly browser and kernel bugs, by well-funded entities for covert monitoring.
The attack commences with a deceptively simple, one-time link, often distributed via encrypted messaging platforms. Upon clicking this link in Safari, the browser initiates an exploit sequence that ultimately triggers a remote code execution flaw, later patched by Apple as CVE‑2023‑41993. This initial phase, utilizing a reusable framework known as JSKit, allows for arbitrary read and write operations within the Safari renderer, paving the way for native code execution on modern iOS versions. Researchers note that this JSKit framework has been observed being reused by other surveillance vendors and state-sponsored actors since 2021, indicating a robust market for such exploit components.
Google Cloud security researchers were instrumental in identifying the complete exploit chain in active campaigns targeting devices in Egypt. The company confirmed that Intellexa internally codenamed this operation “smack,” and it was employed to deploy their Predator spyware family. The effectiveness of this method underscores the persistent threat posed by commercial spyware to user privacy and security.
The Multi-Stage iOS Zero-Day Exploit Chain
Following the compromise of the browser, the exploit chain progresses to a critical second stage. This phase is designed to break free from the Safari sandbox, a crucial security boundary that isolates browser processes. It achieves this by exploiting kernel vulnerabilities, specifically CVE‑2023‑41991 and CVE‑2023‑41992. These kernel flaws enable the attacker to escalate privileges, gaining deeper access to the device’s operating system.
This privilege escalation and sandbox escape grant the spyware profound access, including the ability to read and write to kernel memory. This capability is then leveraged by a third-stage payload, tracked by researchers as PREYHUNTER. PREYHUNTER is composed of several modules, referred to as “helper” and “watcher” components.
PREYHUNTER: Stealthy Surveillance and Evasion
The PREYHUNTER helper module plays a pivotal role in establishing communication channels and preparing the device for further compromise. It utilizes a Unix socket, specifically located at `/tmp/helper.sock`, to interact with other system components. To facilitate its surveillance functions, the module installs hooks into sensitive system frameworks, known as DMHooker and UMHooker. These hooks are designed to intercept access to critical data and services.
Through these hooks, PREYHUNTER gains the ability to perform a range of covert surveillance activities. This includes capturing audio recordings, logging user keystrokes, and secretly accessing the device’s camera. All of this occurs while actively working to conceal its presence by suppressing notifications that might alert the user to its activity. The sophisticated nature of these modules demonstrates a deliberate effort to achieve long-term, undetectable monitoring.
Evasion Tactics and the PREYHUNTER Watcher
The watcher module within PREYHUNTER is dedicated to ensuring the persistent stealth of the operation. Its primary function is to continuously scan the compromised device for any signs that might indicate ongoing security research or debugging efforts. This includes actively looking for the presence of developer mode settings, common jailbreaking tools such as Frida or Checkra1n, security applications from major vendors like McAfee or Avast Mobile Security, custom root Certificate Authorities, or configurations for HTTP proxies.
Should any of these indicators be detected, the exploit chain is designed to halt its execution immediately. This is a critical evasion tactic aimed at minimizing the forensic footprint left behind on the device, making it significantly harder for security professionals to discover and analyze the compromise. This calculated approach, combined with the deep kernel-level access achieved through the exploit chain, points to a mature and well-coordinated ecosystem involving exploit developers, brokers, and spyware operators working in concert to maintain the efficacy and persistence of their iOS surveillance campaigns.
The continued discovery of such sophisticated iOS zero-day exploit chains underscores the ongoing arms race between security researchers and commercial spyware vendors. The patching of these vulnerabilities by Apple is a crucial step, but the emergence of new, previously unknown flaws indicates that users, particularly those in high-risk categories, must remain vigilant. Future efforts will likely focus on further dissecting the full capabilities of the Predator spyware and the evolving tactics employed by Intellexa and similar entities.