‼️🇮🇱 Smartphones worldwide were silently infected with Israeli malware via malicious ads
Simply viewing their ads was enough to get infected.
Surveillance company Intellexa gained full access to cameras, microphones, chat apps, emails, GPS locations, photos, files, and browsing activity.
Simply viewing their ads was enough to get infected.
Surveillance company Intellexa gained full access to cameras, microphones, chat apps, emails, GPS locations, photos, files, and browsing activity.
Internal leaked company documents, sales and marketing materials, as well as training videos from the “Intellexa Leaks” investigation provide a never-before-seen glimpse into the internal operations of a mercenary spyware company focused on exploiting vulnerabilities in mobile devices to enable targeted surveillance attacks on human rights defenders, journalists, and members of civil society.
In an attempt to hide the spyware operator's identity, all data is relayed through a chain of anonymization servers called the “CNC Anonymization Network.”
Since the spyware relies on browser exploits, the operator must trick the victim into opening the malicious link; if the link is not opened, infection fails.
Each time a one-click attack link is sent, it risks exposing the operator, as a suspicious target may share it with forensic experts, revealing the attack and potentially the operator.
Since the spyware relies on browser exploits, the operator must trick the victim into opening the malicious link; if the link is not opened, infection fails.
Each time a one-click attack link is sent, it risks exposing the operator, as a suspicious target may share it with forensic experts, revealing the attack and potentially the operator.
To avoid detection, Intellexa has designed several “delivery vectors”—different approaches to triggering the opening of an infection link on the target’s phone without requiring the target to manually click it. This enables Intellexa to offer zero-click-like functionality without needing additional zero-click exploits.
One slide shows they’ve been buying or partnering with ISPs to deliver their malicious payloads.
Ongoing research and technical investigations by Amnesty International indicate that advertisement-based infection methods are being actively developed and used by multiple mercenary spyware companies and by certain governments that have built similar ADINT infection systems.
Amnesty International believes that the use of such “silent” vectors to deliver browser exploits will continue to grow as targets become increasingly suspicious of unknown links and as true zero-click attacks become more expensive and technically difficult to achieve. These findings should redouble efforts by technology vendors and companies in the digital advertising ecosystem to investigate and disrupt such attacks.
Amnesty International believes that the use of such “silent” vectors to deliver browser exploits will continue to grow as targets become increasingly suspicious of unknown links and as true zero-click attacks become more expensive and technically difficult to achieve. These findings should redouble efforts by technology vendors and companies in the digital advertising ecosystem to investigate and disrupt such attacks.
Despite Intellexa being sanctioned by the US, they're still operating.
Read the full Amnesty report: securitylab.amnesty.org/latest/2025/12…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
