A recent analysis by researchers from Cisco Talos has revealed that the Predator spyware, developed by the Intellexa Alliance [1] [2] [3] [4] [5] [7], now has the capability to persist on infected Android systems even after a reboot. This persistence feature became available to customers in April 2022, whereas previously it was only available on iOS devices. The Predator spyware [1] [2] [3] [4] [5] [6] [7] is also designed to target iOS devices.


The Predator spyware, developed by the Intellexa Alliance [1] [2] [3] [4] [5] [7], includes Cytrox [1] [2] [5] [7], Nexa Technologies [1] [2] [4] [5] [7], and Senpai Technologies [1] [2] [4] [5] [7]. It offers a persistence feature that allows it to survive a reboot on infected Android systems. This feature is offered as an add-on depending on the customer’s licensing options [1] [2] [5] [6] [7]. In 2021, the spyware was unable to persist after a reboot on Android systems [6], but it had this capability on iOS devices. The licensing model for this spyware is expensive [3], suggesting it is primarily aimed at state-sponsored agencies. Intellexa’s business model allows customers to set up their own attack infrastructure, providing them with plausible deniability. Despite public exposure and disclosure of malicious domains used by their customers, Intellexa’s operations have remained largely unaffected. It is important for greater analysis and detection efforts that technical analyses and tangible samples of the spyware are publicly disclosed.

Furthermore, both Cytrox and Intellexa were added to the Entity List by the US in July 2023 for their involvement in trafficking cyber exploits used to gain access to information systems [4]. Predator and similar spyware rely on zero-day exploit chains in Android [1] [2] [7], iOS [1] [2] [3] [6] [7], and web browsers for covert intrusion [1] [7]. Intellexa offloads the setup of attack infrastructure to customers [1] [2] [7], allowing plausible deniability [1] [2] [3] [7]. The company also has first-hand knowledge of customers’ surveillance operations outside their own borders [7]. Public exposure of offensive actors has had little impact on their ability to conduct business globally [2] [7].


The Predator spyware’s ability to persist on infected Android systems after a reboot has significant implications for cybersecurity. Its availability on both Android and iOS devices highlights the need for comprehensive protection measures across platforms. The expensive licensing model suggests that it is primarily targeted towards state-sponsored agencies. The ability for customers to set up their own attack infrastructure provides them with plausible deniability, making it difficult to attribute attacks to specific actors. The addition of Cytrox and Intellexa to the Entity List demonstrates the recognition of their involvement in cyber exploitation. Public disclosure of technical analyses and tangible samples of the spyware is crucial for improved analysis and detection efforts [2]. Mitigating the threat posed by Predator and similar spyware requires collaboration between industry, government, and cybersecurity experts to develop effective countermeasures.


[1] https://ciso2ciso.com/experts-detail-multi-million-dollar-licensing-model-of-predator-spyware-sourcethehackernews-com/
[2] https://thehackernews.com/2023/12/multi-million-dollar-predator-spyware.html
[3] https://blog.talosintelligence.com/intellexa-and-cytrox-intel-agency-grade-spyware/
[4] https://jn66dataanalytics.com/news/experts-detail-multi-million-dollar-licensing-model-of-predator-spyware-the-hacker-news
[5] https://www.techidee.nl/deskundigen-beschrijven-het-licentiemodel-van-miljoenen-dollars-voor-predator-spyware/3677/
[6] https://cyber.vumetric.com/security-news/2023/12/21/experts-detail-multi-million-dollar-licensing-model-of-predator-spyware/
[7] https://vulners.com/thn/THN:1B19999C9E7D61691C91359AEBCCE75D