Apple and Google are warning users around the world that they may have been targeted in a new wave of sophisticated hacking and surveillance attempts. The companies said the security threats are tied to commercial spyware and state-backed attackers.
Apple sent a fresh round of threat notifications on Dec. 2 to customers it believes were singled out by government-backed hackers. The company did not say how many people were affected or who was suspected, but said that “to date we have notified users in over 150 countries in total.”
Intellexa is a commercial cyber intelligence vendor whose “Predator” spyware is sold to government and law enforcement clients and has been sanctioned by the U.S. government. In its public statement on the latest campaign, Google said Intellexa is “evading restrictions and thriving.”
Over the past several years, Intellexa has become one of the most active spyware providers exploiting previously unknown, or zero‑day, flaws in mobile browsers. Google’s Threat Analysis Group, now part of its Threat Intelligence Group, has tied Intellexa to 15 unique zero‑day vulnerabilities since 2021, all of which have since been patched by vendors.
One operation targeting people in Egypt used a full iOS exploit chain that Google and researchers at Citizen Lab captured in 2023. The attack relied on a Safari browser flaw and a framework Intellexa referred to internally as “smack” to silently install Predator on iPhones.
Once a device is compromised, Intellexa’s tools can deploy “helper” and “watcher” modules that check for signs of investigators and enable classic spyware capabilities, such as recording calls, logging keystrokes, and taking pictures through the camera. The watcher module also looks for security tools, jailbreaking apps, and other red flags, and can shut down the operation if it detects unusual behavior.
Those bugs could allow “arbitrary code-execution attacks through malicious web content” that might already have been used “on Intel-based Macs,” Apple said in its security alerts. The vulnerabilities could expose sensitive data, enable stolen credentials, or give hackers control of a device if users simply visited a booby‑trapped site.
The U.S. Cybersecurity and Infrastructure Security Agency warned that “a cyber-threat actor could exploit one of these vulnerabilities to take control of an affected system,” urging users to apply Apple’s fixes.
Security researchers say these kinds of notifications are not just courtesy emails but strategic tools. Threat notifications “impose costs on cyber spies by alerting victims” and are “often the first step in a string of investigations and discoveries that can lead to real accountability around spyware abuses,” according to John Scott-Railton of Citizen Lab.
Earlier waves of alerts from tech companies have already drawn scrutiny from regulators and lawmakers. The European Union has opened investigations after learning that some of its senior officials were targeted with spyware.
Google is also moving beyond individual warnings. It has added domains linked to Intellexa to its Safe Browsing service. It is also delivering government‑backed attack warnings “to all known targeted accounts associated with Intellexa’s customers since 2023,” covering several hundred accounts.