How Predator Spyware Turns Mobile Ads Into Powerful Zero-Click Weapons

A new investigation into the commercial spyware Predator shows how far surveillance companies are going to compromise smartphones. Recently leaked internal documents reveal that Intellexa, the maker of Predator, has developed methods that allow attackers to infect a device without the victim clicking anything at all.

One of the most concerning discoveries is a zero-click technique called Aladdin, which uses ordinary online advertisements as a delivery system. When a chosen target simply loads a webpage or app that displays ads, a hidden malicious ad can silently redirect the device to a server that launches the attack. No tapping, opening, or interaction is required.

Fig 1. A leaked diagram showing how Aladdin works. (Source: Amnesty International)

Researchers found that this system relies on a web of shell companies operating across several countries to buy and place these ads. The ads appear completely normal to the target, but behind the scenes they are engineered to identify specific individuals using their IP address and other tracking information.

Investigators say Aladdin has been in use since at least 2024 and may still be active today.

Multiple Paths to Infection Beyond Ads

The leaks also highlight several other infection methods, including Triton, a technique that abuses weaknesses in mobile networks to push spyware onto certain Samsung devices.

Additional vectors, codenamed Thor and Oberon, may involve radio-based or physical-access attacks, although details remain unclear.

Beyond zero-click attacks, Intellexa has long relied on one-click infection links sent through messaging apps. When tapped, these links exploit previously unknown flaws in browsers like Chrome and Safari to break into a phone and install Predator.

Once installed, Predator can extract messages, call logs, emails, photos, passwords, and real-time location data. It also has tools to activate the microphone and camera without the user noticing.

According to researchers, some Intellexa staff may even have had the ability to remotely access surveillance systems used by their government clients.

Fig 2. A leaked brochure showing the features of Intellexa’s spyware.  (Source: Amnesty International)

Global Reach and What Users Can Do

Despite sanctions and public scrutiny, Predator activity has been observed in more than a dozen countries. One case involved an attempted attack on a human rights lawyer in Pakistan, marking the first known targeting of civil society in that country. In other regions, activity appears to be continuing or shifting as infrastructure changes.

For everyday users, defending against such advanced spyware is difficult, but there are steps that help reduce exposure. Using ad blockers, limiting tracking, and keeping devices fully updated can provide partial protection. Features like Advanced Protection on Android and Lockdown Mode on iOS offer additional safeguards against sophisticated attacks.

The investigation shows a troubling trend: commercial spyware is evolving rapidly, using the same digital systems people rely on every day — including advertising networks — to compromise devices silently.

As these tools become more complex, strong mobile security habits and updated protections are becoming more important than ever for consumers.