A major leak of Intellexa’s internal files has exposed unprecedented technical insight into the Predator spyware ecosystem — including stealthy smartphone hacking methods delivered through online ads and mobile radio exploits. Despite escalating global scrutiny, sanctions, and legal battles, Intellexa remains operational across several countries and continues advancing its surveillance tools.

This investigation — by Inside Story, Haaretz, and the WAV Research Collective with technical work from Amnesty International’s Security Lab — offers the clearest look yet at the company’s infrastructure, capabilities, and covert practices.

Figure 1. Predator Spyware Targets.

Hacking phones through online ads

The most striking revelation centers on “Aladdin,” a remote zero-click attack chain that weaponizes digital advertising networks. Predatory exploit code is hidden inside malicious ads distributed through legitimate websites and apps — meaning a single page view can compromise a device.

Using ad identifiers and public IP data, operators can pinpoint specific targets and deliver spyware via standard ad-buying platforms. Corporate records and infrastructure links also tie Intellexa to multiple front companies involved in deploying this system, including Pulse Advertise and MorningStar TEC. Figure 1 shows Predator Spyware Targets.

Exploiting Samsung’s baseband

Another newly verified tool, “Triton,” uses fake 2G cell towers to exploit Samsung Exynos modem chips. This enables wireless infections without user interaction — useful in secure environments where phishing is ineffective. Leaked documentation and training materials confirm its technical design and intended deployment.

Remote access to customer operations

Internal training videos show Intellexa staff using tools like TeamViewer to directly access operational Predator systems used by government clients. One recording shows a system in Kazakhstan being monitored in real time — contradicting industry claims that spyware vendors cannot access surveillance targets. This revelation raises concerns that Intellexa may be directly complicit in unlawful monitoring of journalists, activists, and political opponents.

Continued use of zero-day exploits

Google’s Threat Intelligence Group has linked Intellexa to at least 15 zero-day exploits affecting both iOS and Android since 2021. These include attacks across regions such as Pakistan, Kazakhstan, Angola, Egypt, Saudi Arabia, and Uzbekistan. Predator’s iOS targeting relies on the JSKit exploit framework, while Android attacks make use of customized Chrome V8 vulnerabilities.

Even under intense political pressure — including U.S. trade sanctions and a high-profile criminal case in Greece — Intellexa continues to shift operations, obscure ownership, and refine Predator to evade detection.

Urgent Calls for Action

Experts warn that this combination of ad-based zero-click delivery, baseband exploits, and vendor-level remote access represents a rapidly escalating security threat. Tech platforms, regulators, and the online advertising sector are urged to strengthen defenses and oversight.

References:

1. https://cyberinsider.com/intellexa-predator-spyware-infects-phones-via-ads-and-2g-exploits/

Cite this article:

Keerthana S (2025), Predator Spyware Targets Phones Using Online Ads and 2G Network Vulnerabilities , AnaTechMaz, pp.338