Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa.
Talos' analysis revealed that rebooting an iOS or Android device may not always remove the Predator spyware produced by Intellexa.
Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
Two years after its first public exposure, Intellexa's Predator/Nova spyware solution continues to be undetected by anti-virus solutions.
Almost all publications on malicious operations conducted using Intellexa's spyware consist primarily of malicious domains as indicators of compromise.
After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.
In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa's spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system.
During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.
This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.
Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution.
In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware's misuse.
Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android.
This reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators.
Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution.
From a deniability point of view, this enables the claim that Intellexa doesn't know how victims are being targeted.
From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.
Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction.
During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group.
Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest.
This Cyber News was published on blog.talosintelligence.com. Publication date: Thu, 21 Dec 2023 16:13:05 +0000