WhatsApp chief Will Cathcart has said that findings from the new investigation into NSO Group’s Pegasus spyware coincide with what the app learned about an attack on its users in 2019. Cathcart also questioned NSO’s claim that a list of thousands of phone numbers central to the investigation is an exaggeration, pointing out that the WhatsApp hack targeted 1,400 people over a two-week period.
In an interview published by the Guardian on Saturday, Cathcart said that the 2019 attack targeted senior government officials worldwide, including individuals in national security who are “allies of the U.S.” The hacking of more than a thousand of its users prompted WhatsApp and Facebook, the app’s parent company, to sue NSO in 2019. The lawsuit claims that other targeted users included attorneys, journalists, human rights activists, political dissidents, and diplomats.
A phone infected with the Pegasus spyware can provide an uncomfortably detailed look into a victim’s life. Clients that use it can collect location data, call logs, and contacts. The phone’s camera and microphone can also be highjacked to monitor the victim. Pegasus is frighteningly easy to install and infects phones by either tricking an individual into clicking a link or activating itself without any clicks at all.
Cathcart said the reporting from the investigation, which has been carried out by a consortium of 17 news organizations, was “very consistent” with what WhatsApp decried in 2019. He added that many of the targets in the WhatsApp attack had “no business being under surveillance in any way, shape, or form.”
“This should be a wake up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone,” Cathcart told the Guardian, which is part of the news consortium.
In addition, the WhatsApp head cast doubt over NSO’s response to the investigation. The Israeli security firm has called many of claims in the investigation “uncorroborated theories.” It has classified one of the central pieces of evidence, a leaked list with more 50,000 phone numbers which is believed to identify people of interest for NSO clients, as an exaggeration and has denied the list has any relation to NSO or its clients.
Cathcart, though, highlighted that the attack on WhatsApp targeted 1,400 users over two weeks.
“That tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” he said, according to the outlet. “That’s why we felt it was so important to raise the concern around this.”
Cathcart also called for more accountability for spyware developers, underlining that NSO’s government clients are the ones funding its operations. NSO has described its customers as 60 intelligence, military, and law enforcement agencies in 40 countries. It claims its clients, which it does not identify citing confidentiality, are only allowed to use Pegasus to prevent and investigate crime and counterterrorism.
In response to Cathcart’s comments, an NSO spokesperson told the Guardian that the company was aiming to create a safer world.
“We are doing our best to help creating a safer world,” the spokesperson said. “Does Mr. Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”