Angolan Journalist Targeted by Predator Spyware Hack

Teixeira Cândido, a well-known journalist and press freedom advocate in Angola, had his iPhone hacked with Predator spyware in May 2024. The attack came from a government customer of Intellexa, the company behind the tool, and allowed full access to his phone after he clicked a bad link in WhatsApp. This marks the first confirmed use of the spyware in Angola.

Background

Angola has seen growing worries about surveillance on journalists and activists. Cândido, who once led the Syndicate of Angolan Journalists, has faced threats for years. Since 2022, his office has been broken into without explanation, and he has dealt with other forms of intimidation. These events point to a pattern of pressure on people who speak out against the government.

Predator spyware comes from Intellexa, a firm that sells these tools to governments for watching targets. The company has faced U.S. sanctions in 2024 over its role in privacy abuses. Its founder, Tal Dilian, and a business partner were hit with those measures, though some sanctions on other leaders were later removed. Intellexa works through a network of companies in different countries to sell its products and avoid rules.

This is not the first time Predator has shown up in the news. Cases have been found in Egypt, Greece, Vietnam, and Pakistan. In Greece, it was called Predatorgate after it hit journalists and politicians. In Vietnam, it even targeted U.S. officials through links on social media. These examples show how the spyware spreads to silence critics around the world.

Cândido's case fits into a larger look at threats in Angola. Groups like Friends of Angola and Front Line Defenders started checking into surveillance there in 2025. Their work led to this discovery, showing that these tools keep working even after public calls to stop them.

Key Details

The attack on Cândido started in April 2024. He got several odd WhatsApp messages that seemed normal at first. The sender built trust over time, then sent a link on May 3 at 4:18 p.m. local time. That link looked like it led to a news story on a real website. More links followed over weeks, all pushing him to click.

On May 4, Cândido opened one of the links. That let Predator infect his iPhone. The spyware connected to networks tied to Intellexa, giving proof of the hack. It hid by acting like normal iPhone system files, so it stayed hard to spot. A few hours later, Cândido restarted his phone, which removed the spyware.

His phone ran an older version of iOS, which may have made the hack easier. Once inside, Predator could take everything: messages from apps like WhatsApp, emails, photos, locations, passwords, contacts, call logs, and even turn on the microphone for live audio. It grabs screenshots too and sends it all back to the attackers. The tool is built to leave no signs, making it tough to check for abuse later.

Experts found signs of Predator testing in Angola as far back as March 2023. Multiple web addresses linked to the spyware were set up there, suggesting more targets exist. The links used short forms or fake sites to trick people into clicking.

How the Spyware Works

Predator needs a click to install, unlike some tools that infect without action. Attackers send links through texts, WhatsApp, or social media. The page that opens uses flaws in the phone to plant the spyware. From there, it runs quietly and pulls data without the user knowing. Amnesty International's team checked Cândido's phone and matched the signs to known Predator setups.

“Forensic analysis conducted by Amnesty International’s Security Lab confirmed with high confidence that the infection links are tied to Intellexa’s Predator spyware and resulted in at least one successful infection of Teixeira Cândido’s phone.” – Carolina Rocha da Silva, Operations Manager at Amnesty International’s Security Lab

What This Means

This hack hits at the heart of rights to privacy and free speech. For journalists like Cândido, it means fear of doing their job. They may hold back stories or avoid contacts, knowing their phones could be watched. This chills work on public issues and group efforts for change.

Governments buying these tools say they need them for security. But cases like this show they often target news people and rights workers instead. Intellexa keeps selling despite sanctions, probes, and leaks about its work. In late 2025, leaked papers showed staff could see into customer systems, hinting at wide knowledge of abuses.

The Angola case adds to proof that Predator stayed active into 2025. It joins recent finds in Pakistan, where a lawyer was hit. No one knows for sure who bought the spyware for Angola, but the links to government buyers are clear from past uses.

Amnesty sent a letter to Intellexa in January 2026 asking about their checks on human rights. They got no answer. This silence raises questions about accountability. Meanwhile, more domains tied to the spyware pop up, pointing to ongoing sales and tests.

Journalists in places like Angola now take extra steps. They check links, update phones, and use secure apps. But these tools evolve fast, staying ahead of defenses. The pattern across countries shows a global problem. Spyware firms like Intellexa fuel it by selling to any buyer with money, often with little oversight.

Cândido's story warns of bigger risks. If leaders of press groups get hit, it sends a message to all reporters. Free press depends on safety to report facts. When spyware breaks that, trust in news fades, and power goes unchecked.

Efforts to stop this grow. Sanctions aim to cut off money, and groups push for laws on spyware sales. But as long as demand exists, new companies step in. The fight needs tech fixes, like better phone security, and rules that stick across borders.