A prominent Angolan journalist’s iPhone was compromised with Predator spyware, according to new forensic research from Amnesty International, underscoring how mercenary surveillance tools continue to target civil society despite sanctions and mounting scrutiny. Investigators say the attack was delivered via WhatsApp links, one of which the journalist, Teixeira Cândido, eventually tapped, triggering the infection.
Amnesty Ties Intrusion to Predator Infrastructure
Amnesty International’s Security Lab said it linked the compromise to Intellexa’s Predator by examining network and device traces on Cândido’s phone. The team identified infection servers previously associated with Predator operations and found that the implant cloaked itself by impersonating legitimate iOS system processes to evade user suspicion and security tools.
Researchers could not confirm the precise exploit chain that delivered the malware, noting the device was running an outdated iOS version at the time. Crucially, the implant appears to have lacked persistence: after Cândido rebooted his phone hours later, the spyware was wiped from memory—consistent with behaviors documented for modern, stealth-focused mobile implants.
Amnesty’s internet scanning also surfaced multiple Predator-linked domains operating in Angola, suggesting Cândido may not be the only target. The earliest Angola-tied infrastructure dates back to early last year, an indicator of testing or phased deployment. However, the watchdog stopped short of identifying a specific customer, emphasizing that technical artifacts alone cannot conclusively attribute the operator.
Predator’s Playbook and Why Journalists Are at Risk
Predator, developed and sold within the Intellexa commercial spyware alliance, is designed to harvest messages, microphone audio, photos, and app data from infected devices. Unlike some “zero-click” exploits attributed to other firms, Predator has frequently been observed using one-click lures—shortened or plausibly themed links sent by SMS, WhatsApp, or social platforms—that rely on a target opening the page to trigger exploitation.
Journalists, opposition figures, and activists are disproportionately exposed. They work under constant pressure, often rely on mobile-first communications, and are regularly contacted by unknown sources—conditions that make a well-crafted lure more likely to succeed. Previous investigations by Google’s Threat Analysis Group and Citizen Lab have tied Predator operations to campaigns in Egypt, Greece, and Vietnam, including attempts to bait officials with links on social media.
Intellexa Under Sanctions but Still Active
Intellexa has drawn intense global scrutiny for operating through an opaque corporate network across multiple jurisdictions, a structure government officials have criticized as a means to navigate export controls. The company, its founder Tal Dilian, and associates have been the subject of U.S. sanctions and trade restrictions, and lawmakers have pressed for greater transparency around enforcement. Yet Amnesty’s latest casework, coupled with prior leaks suggesting the vendor’s deep visibility into client systems, indicates the network has remained operational.
This Angolan incident adds to a growing list that has alarmed press freedom and privacy advocates. Amnesty’s Security Lab chief, Donncha Ó Cearbhaill, said confirmed abuses now span multiple continents, and for every verified compromise, more likely remain undetected. The pattern mirrors the “Predatorgate” scandal in Greece, where journalists and politicians were swept up in a wider surveillance controversy involving overlapping legal wiretaps and mercenary spyware.
What the Forensics Reveal About Tradecraft
Details in the Angolan case track with best-known Predator tactics: single-tap infection vectors; redirect chains tied to throwaway domains; and implants that mimic system daemons to blend into iOS process lists. The lack of reboot persistence points to an in-memory payload—harder to detect while active, but designed to disappear on restart to frustrate post-incident analysis.
The outdated iOS version mattered. Mobile mercenary vendors invest heavily in weaponizing newly disclosed bugs and n-day vulnerabilities that persist on devices awaiting updates. While security updates are not a cure-all—high-end vendors do develop zero-days—they substantially shrink the attack surface and can invalidate costly exploit chains.
Safety Basics for High-Risk Users to Avoid Spyware
Experts advise targeted communities to adopt layered defenses: keep iOS fully updated; enable Apple’s Lockdown Mode if you face elevated risk; treat unsolicited links and attachments with extreme caution; and consider isolating sensitive work to a separate device. Regular reboots can disrupt certain memory-resident implants, though they are not a substitute for patching and vigilant hygiene.
Organizations supporting journalists should also invest in rapid-response playbooks: preserve logs when suspicious messages arrive, use vetted mobile forensics services, and coordinate with reputable research groups such as Amnesty International, Citizen Lab, or Access Now’s Digital Security Helpline. Early reporting can help investigators map live infrastructure and warn additional targets.
Why This Case Matters Beyond Angola and the Region
The Cândido hack spotlights a broader accountability gap. Sanctions and export controls have raised costs for spyware vendors, but without consistent cross-border enforcement and clear procurement rules, tools like Predator continue to surface in sensitive domestic contexts. As more countries debate bans, licensing regimes, and civil remedies, credible, technically grounded investigations remain vital to separating attribution, capability, and intent from rumor.
For now, the findings are a reminder that the threat is neither abstract nor confined to well-known hotspots. A single link was enough to compromise a journalist’s phone—and, potentially, their sources. Until the market for mercenary surveillance is reined in, cases like this are likely to keep emerging, one tap at a time.
