Government-critical journalist from Angola had Predator spyware on his phone
The Predator spyware was found on the iPhone of a government-critical journalist from Angola. Amnesty explains how it may have happened.
(Image: solarseven / Shutterstock.com)
A government-critical journalist and activist from Angola fell victim to an attack with the Predator spyware. This is according to a recent forensic investigation by Amnesty International's Security Lab. According to the investigation, Teixeira Cândido opened an infected link via WhatsApp in 2024. The link came from a supposed representative of a group of Angolan students with whom he had contact via the messenger. The actual sender is unknown. The software operated unnoticed on his iPhone for about a day until it was removed by a restart.
The human rights organization explains that attacks on Cândido have been increasing since 2022. For example, his office and those of other journalists have been broken into multiple times. The targeted attack with the Predator spyware is the first forensically documented case of its kind in the country. However, there are indications of further Predator attacks since 2023. In the Press Freedom Index by Reporters Without Borders, Angola ranks 100th out of 180.
The spyware is not unknown
The Predator spyware used originates from Intellexa. The company, based in Ireland, was founded in 2018 by an Israeli ex-officer with colleagues from the military and the security and intelligence sector. The Intellexa Alliance, an association of the company with other IT firms, has sold software in the past to Qatar, Vietnam, or Pakistan, as well as to Germany.
Videos by heise
In addition to targeted espionage, the Predator software is programmed to deactivate itself and cover its tracks if discovery is imminent. This involves sending an encrypted status message to the attackers, which can be used to further improve the software. It has been repeatedly used against journalists and politicians in the past.
Security vulnerabilities exploited
At the time of infection, Cândido's iPhone was running on the iOS 16.2 operating system. The spyware disguised itself as the system process "iconservicesagent" and operated in the "/private/var/containers/Bundle/" directory. The iOS update 17.4.1, which closed security vulnerabilities of previous updates among other things, was already available. The Amnesty investigation does not explain why the journalist had not installed the software update. Predator had exploited the vulnerability CVE-2023-41991 to infiltrate iPhones.
(wpl)
