Summary:

A new analysis of Predator spyware reveals that its persistence between reboots is an “add-on feature” offered based on licensing options. Predator is a product of the Intellexa Alliance, which was added to the U.S. Entity List in July 2023 for “trafficking in cyber exploits.” It can target both Android and iOS, and is sold on a licensing model that runs into millions of dollars. Spyware like Predator often relies on zero-day exploit chains, which can be rendered ineffective as Apple and Google plug security gaps. Intellexa offloads the work of setting up the attack infrastructure to the customers themselves, and uses a delivery method known as Cost Insurance and Freight (CIF) to claim they have no visibility of where the systems are deployed. Predator’s operations are connected to the license, which is by default restricted to a single phone country code prefix, but this can be loosened for an additional fee. Cisco Talos says that public disclosure of technical analyses of mobile spyware and tangible samples is needed to enable greater analyses, drive detection efforts, and impose development costs on vendors.

Original analysis: blog.talosintelligence.com/intellexa-and-cytrox-i…