Community efforts to raise awareness have built momentum toward an international policy response. Google has been a committed participant in the Pall Mall Process, designed to build consensus and progress toward limiting the harms from the spyware industry. Together, we are focused on developing international norms and frameworks to limit the misuse of these powerful technologies and protect human rights around the world. These efforts are built on earlier governmental actions, including steps taken by the US Government to limit government use of spyware, and a first-of-its-kind international commitment to similar efforts.
Recognizing the severity and widespread nature of Intellexa's activities in particular, we have made the decision to simultaneously deliver our government-backed attack warning to all known targeted accounts associated with Intellexa's customers since 2023. This effort encompasses several hundred accounts across various countries, including Pakistan, Kazakhstan, Angola, Egypt, Uzbekistan, Saudi Arabia, and Tajikistan, ensuring that individuals at risk are made aware of these sophisticated threats.
Following our disclosure policy, we are sharing our research to raise awareness and advance security across the ecosystem. We have also added all identified websites and domains to Safe Browsing to safeguard users from further exploitation. We urge users and organizations to apply patches quickly and keep software fully up-to-date for their protection. Google will remain focused on detecting, analyzing, and preventing zero-day exploitation as well as reporting vulnerabilities to vendors immediately upon discovery.
rule G_Hunting_PREYHUNTER_IOSStrings_1 { meta: author = "Google Threat Intelligence Group (GTIG)" strings: $ = "/Users/gitlab_ci_2/builds/jb" $ = "/roe/ios1" $ = "-production/libs/Exploit" ascii wide $ = "/private/var/tmp/l/voip_%lu_%u_PART.m4a" ascii wide $ = "/private/var/tmp/etherium.txt" ascii wide $ = "/private/var/tmp/kusama.txt" ascii wide $ = "_gadget_pacia" ascii wide $ = "ZN6Helper4Voip10setupHooksEvE3$_3" ascii wide $ = "Hook 1 triggered! location:" ascii wide $ = "KernelReaderI11CorelliumRWE" ascii wide $ = "NSTaskROP20WithoutDeveloperMode" ascii wide $ = "UMHookerI14RemoteTaskPort" ascii wide $ = "com.elanbenami.EnneaApp" ascii wide $ = "callFunc: building PAC cache for" ascii wide $ = "select tset FROM tsettings WHERE INSTR(tset, ?)" ascii wide $ = "select * from tsettings WHERE length(sha256) > ?" ascii wide $ = "isTrojanThreadERK" ascii wide $ = "getpid from victim returned:" ascii wide $ = "victim task kaddr:" ascii wide condition: 1 of them }