Predator spyware: Amnesty International’s Security Lab confirms that the iPhone of prominent Angolan journalist Teixeira Cândido was infected in May 2024, granting operators access to messages, audio, location data and files. Forensic traces recovered from the device also show multiple targeted re‑infection attempts via link lures.
Background
Predator is commercial mobile spyware supplied by Intellexa and associated vendors. Independent research from Citizen Lab and Google’s Threat Analysis Group (TAG) has linked Predator deployments to zero‑day exploit chains, network injection and link‑based lures. Amnesty’s Security Lab investigation documents a forensically validated Predator infection in Angola and places the case alongside earlier technical reporting and the 2025 Intellexa leaks.
Related internal coverage: Dutch Police Hack iPhones: Unpacking Real-Time Surveillance Capabilities.
Technical analysis
Amnesty’s timeline shows the intrusion began after the journalist received several WhatsApp messages from a local Angolan number using a plausible sender identity. On 4 May 2024 the journalist opened a link; the device was running an out‑of‑date iOS build with multiple known vulnerabilities. Forensic artifacts indicate Predator executed, collected chat histories (WhatsApp, Signal), captured screenshots and audio recordings, recorded calls, reported GPS coordinates, and exfiltrated credentials and files. The active payload ceased after a device restart, but persistent artifacts remained in application directories.
Citizen Lab and Google TAG reporting documents comparable delivery patterns — link lures and, in other campaigns, network injection — and supplies exploit fingerprints and network indicators that can be cross‑referenced with Amnesty’s artifacts.
Impact and attribution
Amnesty calls this the first forensically validated Predator deployment against civil‑society targets in Angola. Although the active infection was short‑lived, the data collection window provided operators access to private communications and location history. Amnesty does not attribute the intrusion to a named government; the organisation stresses that commercial surveillance sales and unchecked deployment continue to present global human‑rights risks.
Protection steps
- Install official OS updates promptly to mitigate known CVEs.
- Harden messaging workflows: verify unexpected senders and avoid opening unsolicited links.
- Use device‑level protections and endpoint detection to capture indicators of compromise.
- Where forensic evidence exists, engage independent technical labs and notify national CERTs or relevant authorities.
Sources & further reading
- Amnesty International — Security Lab: Journalism under attack: Predator spyware in Angola
- Amnesty International press release: Angola journalist targeted with Predator spyware
- Citizen Lab — Predator in the wires (technical analysis)
- Google TAG — 0-days exploited by commercial surveillance vendor in Egypt
- Security.NL — related background reporting
Forensic evidence
Amnesty’s Security Lab recovered application‑level artifacts that match Predator behaviour: modified chat databases, temporary audio files, screenshot images and file metadata linked to the 4 May 2024 event. The report documents device metadata (iOS build, installed app versions) and a message timeline used to reconstruct the infection chain. Amnesty describes the findings as forensic traces rather than a persistent running implant: the active binary was removed after restart, but sufficient artefacts remained for analysis.
Where available, Citizen Lab and Google TAG provide technical signatures and network indicators that support cross‑case correlation.
Timeline & IOCs
Timeline:
- April–June 2024: Target receives multiple WhatsApp messages from a local Angolan number.
- 4 May 2024: Journalist opens a malicious link; forensic artifacts indicate Predator executed and collected data.
- Same day: Active payload removed after device restart; forensic artifacts remain.
- Following days: At least 11 re‑infection attempts via new links were observed but appear unsuccessful.
Key indicators (escaped):
Delivery: WhatsApp/SMS link-based lures
Redirector domain: c[.]betly[.]me
Exploit server: sec-flare[.]com
Related CVEs: CVE-2023-41991, CVE-2023-41992, CVE-2023-41993
Forensic artifact types: modified WhatsApp/Signal databases, temporary audio files, screenshots, timestamps (2024-05-04)
