A commercial spyware firm, Intellexa, has been identified as exploiting 15 zero-day vulnerabilities since 2021 to target users of both iOS and Android devices globally. This aggressive exploitation makes Intellexa one of the most active companies leveraging unknown security flaws in mobile browsers. Despite U.S. government sanctions, the company continues its operations, with recent attacks detected in countries including Saudi Arabia, Pakistan, and Egypt, posing an ongoing threat to mobile users worldwide.
Google Cloud security researchers revealed intel that Intellexa is actively employing these zero-day exploits to compromise devices. The attacks typically involve sending hidden links via encrypted messaging applications, which lead users to compromised websites. These exploits are designed to execute malicious code and gain unauthorized access. The research also indicates that Intellexa often acquires exploit chains from third-party sources rather than developing them entirely in-house, enabling a rapid response to security patches and continued operation.
Intellexa’s Continued Exploitation of Zero-Day Vulnerabilities
Since 2021, approximately 70 zero-day vulnerabilities have been discovered across various platforms, and Intellexa has been responsible for utilizing 15 distinct exploits among them. These vulnerabilities encompass a range of critical security issues, including Remote Code Execution (RCE), Sandbox Escape, and Local Privilege Escalation (LPE). While the affected vendors have since issued patches for these specific flaws, Intellexa’s continuous acquisition and deployment of new exploit chains demonstrate a persistent effort to maintain its offensive capabilities. The company reportedly operates through front organizations to obscure its true identity and evade detection, continuing to serve its clients across different nations.
A recent documented case from Egypt highlights Intellexa’s sophisticated attack methodology. Researchers found that the company deployed an exploit chain internally referred to as “smack” to install its Predator spyware on iOS devices. This attack chain initiated with a vulnerability in Apple’s Safari browser, tracked as CVE-2023-41993. The exploit leveraged a framework known as JSKit to achieve memory read and write access. This particular framework has been observed in numerous attack campaigns since 2021, including those attributed to Russian state-backed actors, indicating its widespread use and effectiveness.
Infection Mechanism and Stealth Capabilities
The infection process is multi-staged. Following the initial exploitation in the Safari browser, the subsequent stage utilizes kernel vulnerabilities, specifically CVE-2023-41991 and CVE-2023-41992, to break out of the Safari sandbox. This allows for kernel memory access, paving the way for the third-stage payload. This final stage consists of two primary modules: a “helper” and a “watcher.” The watcher module is designed to detect and evade detection by monitoring the infected device for any signs of security analysis. It actively checks for developer modes, console attachments, security software, and non-standard network configurations.
To maintain its stealth, the watcher module is programmed to self-terminate the exploit if it detects specific conditions. These include the presence of certain geographical locales such as U.S. or Israeli regions, the installation of security applications like McAfee or Norton, or the attachment of debugging tools such as Frida or SSH. This sophisticated evasion tactic is crucial for maintaining the spyware’s presence on a device without immediate discovery.
The helper module, conversely, provides the core spyware functionalities through custom hooking frameworks named DMHooker and UMHooker. These hooks enable the interception and recording of voice calls, which are then stored in a specific file format. The module also captures keystrokes entered by the user and can activate the device’s camera to take photos. Furthermore, it hooks into the SpringBoard process to suppress any notification alerts related to these intrusive actions, ensuring the user remains unaware of the compromised state of their device. Compilation artifacts have also provided insights into internal tracking names and build paths, such as `/Users/gitlab_ci_2/builds/jbSFKQv5/0/roe/ios16.5-smackjs8-production/`, further confirming the internal operations and naming conventions used by Intellexa.
Intellexa’s continued exploitation of zero-day vulnerabilities, coupled with its adaptive tactics and operational obfuscation, presents a significant and evolving challenge for mobile security. The global reach of these attacks and the potential impact on individuals and organizations necessitate ongoing vigilance and rapid response from the cybersecurity community and affected vendors. The effectiveness of international sanctions in curbing the activities of such entities remains a critical point of observation in the ongoing battle against advanced persistent threats.