English

A New Era of Mercenary Spyware

Predator is a commercial spyware platform designed to infiltrate mobile devices—most commonly iPhones and Android smartphones—and enable covert, continuous surveillance. Originally developed by Cytrox, an entity within the Intellexa network, Predator is engineered to bypass modern security protections and give operators near-total access to a victim’s digital life.

Key characteristics of Predator include:

  • Modular architecture that allows operators to deploy different capabilities depending on their goals.

  • Ability to run silently, without visible apps or notifications.

  • Sophisticated exploit chains, sometimes using multiple zero-day vulnerabilities.

  • Real-time monitoring, including live microphone and camera control.

  • Multi-platform targeting, expanding beyond early Android focus to include iOS devices.

Predator’s continued evolution demonstrates the growing resilience of mercenary spyware—even as global pressure intensifies.

Predator2

How Predator Works

Predator operates as a full device-compromise toolkit, giving operators powerful surveillance capabilities through a multi-stage process. While technical details vary per campaign, publicly available research points to a consistent lifecycle.

Targeting & Reconnaissance

Operators identify high-value individuals—journalists, political figures, activists, corporate executives, etc.

Infection Delivery

Victims are lured through malicious links, intercepted connections, or zero-click vulnerabilities.

Exploit Execution

Predator uses a chain of vulnerabilities—sometimes zero-days—to gain privileged access.

Spyware Development

The Predator agent installs silently, often without leaving obvious forensic traces.

Surveillance & Exfiltration

Operators monitor the device in real time, record audio, siphon data, and track location.

Persistence or Self-Destruct

Predator can remain on a device for extended periods of delete itself if triggered or detected. 

What Infection Methods Are Used to Deploy Predator?

Intellexa's operators use several sophisticated infection methods, often leveraging a deep understanding of human behavior, digital communications and mobile network infrastructure. 

noclick-1

Zero-Click Exploits

Google TAG reports that Predator has been used in zero-click attacks, meaning the victim does not need to take any action. These attacks often occur through:

  • Messaging apps like WhatsApp
  • Native SMS/MMS
  • Push notifications
  • Inbound calls

Because they require no user interaction, zero-click exploits are extremely difficult to detect or prevent.

clickattacks

One-Click Infection Links

One-click attacks are more common and rely on social engineering. Operators send malicious links disguised as:

  • News articles
  • Political updates
  • URLs referencing journalists or civic organizations
  • Personalized phishing messages created from public or stolen data

Once clicked, the link silently triggers the exploit chain.

network injection attacks

Network Injection Attacks

These attacks occur when an operator can intercept traffic—often through compromised telecom infrastructure or access to local network providers. When the victim visits any HTTP site, malware is injected automatically.

Recorded Future has highlighted the use of Predator in regions with weaker telecommunications oversight, making network injection a high-risk threat in certain countries.

socialengineering

Highly Personalized Social Engineering

Amnesty International’s research shows attackers frequently impersonate:

  • Journalists
  • News organizations
  • Government officials
  • Trusted colleagues

Messages often reference real events, political issues, or personal details to increase credibility.

What Happens When Predator is Installed on a Device?

Once installed, Predator provides full-spectrum surveillance capabilities. Operators can access nearly every part of a smartphone—often without generating visible signs of compromise.

Full Device Takeover

  • Extract messages from encrypted apps (WhatsApp, Signal, Telegram)
  • Record audio through the microphone
  • Activate front or rear cameras
  • Capture screenshots and screen recordings
  • Read emails, calendars, and notes
  • Access call logs, contacts, and browsing history
  • Track GPS location in real time
  • Monitor keystrokes
  • Steal authentication tokens, effectively bypassing two-factor authentication

Because Predator sits at a deeper level of the operating system, it can monitor activity before it becomes encrypted.

High-Value Data Targets

Research shows Predator can steal:

  • Passwords and authentication tokens
  • Personal photos, documents, and files
  • Encrypted messages and chats
  • Political or professional communications
  • Sensitive legal or journalistic materials
  • Movement patterns and travel itineraries
This information can be used for surveillance, harassment, political manipulation, blackmail, or authoritarian control.

Stealth and Persistence

Predator is engineered to: 

  • Hide its presence
  • Operate quietly in the background
  • Remove traces of its activity
  • Self-destruct if it detects analysis
This makes forensic detection extremely difficult for average users and even many security professionals.

How can you Protect Against Predator?

  • Keep your device updated: Install the latest security patches for your operating system and apps.
  • Limit exposure to messaging apps: If possible, disable iMessage, WhatsApp, and other communication apps vulnerable to zero-click attacks.
  • Use high-security devices: Phones with hardened security, such as Sotera SecurePhone or other encrypted devices, offer better protection.
  • Restart your phone regularly: Some versions of Pegasus are removed when a device is rebooted, providing a temporary security measure.
  • Disable unnecessary features: Turn off Bluetooth, Wi-Fi, and location tracking when not in use to minimize exposure to network-based exploits.

 

Sotera 3 Pillar Graphic w_Phone_Just Icons

Protect Your Communications with the Sotera SecurePhone

A secure line for ultimate security and privacy

Sotera 3 Pillar Graphic

Security

Keep your conversations confidential with the SecurePhone with protection against all known mobile threats, including zero-click spyware like Predator, malware, and network intrusions.

Simplicity

Automatically connect to the strongest mobile network anywhere in the world with Sotera’s best-in-class global SIM.

Connectivity

Stay seamlessly connected to everything that matters the most. With the SecurePhone, you can make secure calls and texts regardless of where you are in the world.

Concerned about mobile security? Talk with one of our experts to discover how Sotera SecurePhone can protect you from threats like Predator.