With so much attention focused recently on constant consumer spying and privacy violations, erroneous or otherwise, by Amazon, Facebook and now Twitter, it is easy to forget that virtually other communication apps have the same purpose, and that’s what one secretive Israeli company relied on when they used a vulnerability in the popular messaging app WhatsApp (owned by Facebook) to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said. What is unique is how the app was infected: with a simple phone call.
According to the FT, WhatsApp which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. The malicious code, developed by the secretive NSO Group, a notorious and controversial Israeli hacking and surveillance tools vendor, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs.
It is unclear how many apps were infected with the spyware trojan, which could for example, allow anyone to get access to John Podesta’s email password (and then blame say, Vladimir Putin for example) as WhatsApp is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, although it is likely a substantial number. As late as Sunday, the FT reports that WhatsApp engineers were racing to close the loophole.
For those who thought that Alexa’s constant eavesdropping was bad, this is even worse: NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. It effectively opens up one’s entire cellphone to the hacker, and to get “infected”, one just needs to receive an inbound phone call without ever answering it.
Many people probably heard of NSO for the first time in December 2018, when a New York Times story that claimed the company helped Saudi Arabia spy on the Washington Post journalist Jamal Khashoggi before he was killed in the Saudi consulate in Istanbul, Turkey in October of last year.
NSO advertises its products to Middle Eastern and Western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital
Since the application is Israeli, its hardly a surprise that the spies’ preferred targets were Middle Eastern: as the FT reports, in the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,”
the company said, with the government in question being that of Israel. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”
WhatsApp disclosed the issue to the US Department of Justice last week, according to a person familiar with the matter. A justice department spokesman declined to comment.
Of course, if instead of a “secretive Israeli” company, the offender was found to be – say – a fabricated Russian outfit, the deep state would ensure that we would now be on the verge of World War III. However, since it’s Israel…. well, turn on your TV and see how many TV stations discuss this grotesque spying incident which could affect virtually anyone.
NSO, of course, said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
Among others, the attack targeted a UK lawyer, who declined to be identified, who has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada, sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.
“It’s upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us, itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”
On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defense.
It was unclear if the entity behind the actual espionage was NSO in conjunction with the Israeli government, or if Israel had sold the hacking application to one or more of its best clients, including Saudi Arabia.
“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty International, which identified an attempt to hack into the phone of one its researchers.
“The Israeli ministry of defense has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.
For more on NSO, watch this 60 Minutes interview with the company’s CEO.