Powerful spyware developed by Israeli cyber-intelligence company NSO Group exploited a vulnerability in encrypted messaging app WhatsApp to transfer itself to targeted devices, the Financial Times reported on Monday.
NSO Group is the creator of Pegasus—a program that reportedly allows an attacker to secretly seize more or less complete control of an infected mobile device, including cameras, microphones, files, and text messages. According to FT, a “spyware dealer” briefed on the WhatsApp vulnerability said that it allowed NSO Group software to spread via calls placed within the app, succeeding even if the targeted user did not answer. That source said that sometimes the call logs later disappeared before the target of the surveillance could notice.
FT also reported that WhatsApp discovered the vulnerability earlier this month and “a person familiar with the issue” said the company’s internal investigation had not progressed enough to result in reliable estimates of the number of impacted users. WhatsApp confirmed to FT that it had begun rolling out a fix to servers on Friday and issued a patch to customers on Monday.
In a statement to FT, WhatsApp all but pointed the finger: “This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
WhatsApp has also informed U.S. authorities, specifically the Department of Justice, about the incident.
NSO Group does not comment on specific clients, but research conducted by the Toronto-based Citizen Lab “identified a total of 45 countries where Pegasus operators may be conducting surveillance operations,” including at least “10 Pegasus operators [which] appear to be actively engaged in cross-border surveillance.” Citizen Lab also concluded that Pegasus had been used to target a Saudi Arabian dissident living in Canada who was in contact with Jamal Khashoggi, a fellow dissident and journalist who was subsequently murdered by Saudi agents at a consulate in Istanbul in October 2018. (That dissident, Omar Abdulaziz, is suing NSO Group, as are other alleged targets of NSO Group tools.)
Other reports have suggested that Saudi Arabia, along with a long list of other nations with awful human rights records, is in possession of Pegasus, and that the system has been used to target human rights activists, journalists, and others.
NSO Group has denied its tools were used to target Khashoggi and that they are sold to governments for the sole purpose of fighting crime and terrorism. However, there is virtually no transparency surrounding its sales process, and NSO Group founder and CEO Shalev Hulio has defended the use of his software to break into the phones of lawyers and journalists.
Citizen Lab also alleged in early 2019 that it had been targeted in two botched sting operations in Toronto and New York by persons using false identities, with the apparent goal of luring the group’s members to meetings at hotels and fooling them into making bigoted comments. The Associated Press later reported that other individuals who either were involved in litigation against or had reported on NSO Group had been lured into similar meetings.
Citizen Lab senior researcher John Scott-Railton told FT that a lawyer based in the UK and involved in litigation against NSO Group had been targeted using the WhatsApp vulnerability over the weekend, but that WhatsApp’s updates appeared to have stopped the attack in its tracks.
“We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” Scott-Railton told the paper. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” NSO Group told FT in a statement. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
NSO Group is currently facing down a legal challenge against its export licenses backed by Amnesty International, which alleged last year that it had identified an attempt to break into a staff member’s phone using NSO Group software. The Israeli Ministry of Defense denied Amnesty’s requests to revoke the licenses, which would leave NSO Group without the ability to conduct foreign sales, last year. Amnesty will press the issue in a filing in Tel Aviv court on Tuesday, FT wrote.