Smartphones of senior government officials, journalists, human activists, and military officers across 20 U.S. allied countries were targeted earlier this year with an Israeli spyware that used WhatsApp to take over users’ phones, said sources familiar with an internal investigation of Facebook-owned instant messaging platform.
Some of the victims of the spyware hack belong to the United States, United Arab Emirates, Bahrain, Mexico, Pakistan, and India.
WhatsApp on Tuesday filed a lawsuit in the Northern District of California against Israeli surveillance software company, NSO Group. The company has been accused of building and selling a hacking platform that exploited vulnerabilities in the WhatsApp messaging app. As a result, it helped unnamed entities’ spies to hack into phones of roughly 1,400 users around the world between April and May 2019.
The hackers exploited the flaw and remotely installed surveillance software called ‘Pegasus’ on phones and other devices.
The spyware requires a target to click on an “exploit link” which allows the Pegasus operator to penetrate the device’s security features and install Pegasus without user’s knowledge or permission. Once spyware is installed, the operator can access target’s private data, including passwords, contact lists, text messages, calendar events, and live voice calls. Even worse, the spyware also allows the operator to access the target device’s camera and microphone to capture activity in the phone’s vicinity.
WhatsApp refused to provide the exact number of those targeted or any information on whose behalf the phones of top officials were exploited.
“In the latest vulnerability, the subject of the lawsuit, clicking the ‘exploit link’ may also not be required and a missed video call on WhatsApp will have enabled opening up the phone, without a response from the target at all,” the report said.
WhatsApp said it has sent warning notifications to affected users about the issue. “We quickly added new protections to our systems and issued an update to help keep people safe. We are now taking additional action on the basis of what we have learnt to date,” the company said in a statement.
Following the breach, WhatsApp has added new protections to its systems and issued updates for the app. Also, WhatsApp who has suffered damages more than $75,000 is seeking punitive damages too.
According to Indian media reports, nearly two dozen activists, lawyers, and journalists were targeted in India. While WhatsApp confirmed that a number of Indian users had been targeted by the Pegasus spyware, the company’s spokesperson Carl Woog said that a “not insignificant number” of Indian journalists and human rights activists were targeted in the breach.
NSO Group, on its part, has denied any wrongdoing and said that it sells its spyware exclusively to government customers only.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists,” the company said in a statement. “We license our product only to vetted and legitimate government agencies.”