Pegasus – possibly the most powerful piece of spyware ever developed – has been found on mobile phones around the world.
A major investigation is alleging that the malware was used to hack the phones of politicians, activists and prominent news editors worldwide.
The hacking software – or spyware – is marketed and licensed to governments by Israeli company NSO Group.
French-based non-profit media organisation Forbidden Stories has shared access to a leaked list that contains more than 50,000 phone numbers.
The military-grade spyware is used by governments to track terrorists and criminals.
It’s alleged the malware was used to successfully hack the smartphones of journalists, human rights activists, business executives and the two women closest to murdered Saudi journalist Jamal Khashoggi, The Washington Post reports.
Earlier versions of Pegasus used spear-phishing – targeted emails used to deploy malicious software.
It is now capable of so-called “zero-click” attacks. These exploit “zero-day” vulnerabilities.
That means a simple WhatsApp call can infect devices with malicious code – even if the target doesn’t pick up the phone.
NSO Group and its spyware have been in the headlines since at least 2016 when researchers accused it of helping spy on a dissident in the United Arab Emirates.
Sunday’s revelations raise privacy and rights concerns and reveal the far-reaching extent to which the private Israeli company’s software may be being used by its clients internationally.
The extent of the use of Pegasus was reported by The Washington Post, the Guardian, Le Monde and other news outlets which collaborated on an investigation into a data leak.
The leak was of a list of more than 50,000 smartphone numbers believed to have been identified as people of interest by clients of NSO since 2016, the media outlets said.
The Post said the total number of phones on the list that were actually targeted or surveilled is unknown.
It said 15,000 of the numbers on the list were in Mexico and included those of politicians, union representatives, journalists and government critics.
The list reportedly included the number of a Mexican freelance journalist who was murdered at a car wash. His phone was never found and it was not clear if it had been hacked.
Mobile phone numbers of politicians, journalists, scientists listed
Indian investigative news website The Wire reported that 300 mobile phone numbers used in India – including those of government ministers, opposition politicians, journalists, scientists and rights activists – were on the list.
The numbers included those of more than 40 Indian journalists from major publications such as the Hindustan Times, The Hindu and the Indian Express as well as two founding editors of The Wire, it said.
The Indian government denied in 2019 that it had used the malware to spy on its citizens after WhatsApp filed a lawsuit in the US against NSO, accusing it of using the messaging platform to conduct cyber espionage.
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices, including those of two women close to Saudi journalist Jamal Khashoggi, who was murdered in 2018 by a Saudi hit squad.
Among the numbers on the list are those of journalists for Agence France-Presse, The Wall Street Journal, CNN, The New York Times, Al Jazeera, France 24, Radio Free Europe, Mediapart, El Pais, the Associated Press, Le Monde, Bloomberg, the Economist, Reuters and Voice of America, the Guardianreported.
The use of the Pegasus software to hack the phones of Al-Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
The Post said the numbers on the list are unattributed but the media outlets participating in the project were able to identify more than 1000 people in more than 50 countries.
They included several members of Arab royal families, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials including heads of state and prime ministers and cabinet ministers.
The reports said many numbers on the list were clustered in 10 countries – Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates.
Pegasus is reportedly a highly invasive tool that can switch on a target’s phone camera and microphone as well as access data on the device, effectively turning a phone into a pocket spy.
In some cases it can be installed without the need to trick a user into initiating a download.
NSO issued a denial on Sunday that focused on the report by Forbidden Stories, calling it “full of wrong assumptions and uncorroborated theories,” and threatened a defamation lawsuit.
“We firmly deny the false allegations made in their report,” NSO said.
“As NSO has previously stated, our technology was not associated in any way with the heinous murder of Jamal Khashoggi,” the company said.
“We would like to emphasise that NSO sells its technologies solely to law enforcement and intelligence agencies of vetted governments for the sole purpose of saving lives through preventing crime and terror acts,” it said.
Citizen Lab reported in December that about three dozen journalists at Qatar’s Al-Jazeera network had their mobile devices targeted by Pegasus malware.
Amnesty International reported in June last year that Moroccan authorities used NSO’s Pegasus software to insert spyware onto the mobile phone of Omar Radi, a journalist convicted over a social media post.
At the time, NSO told AFP that it was “deeply troubled by the allegations” and was reviewing the information.
Founded in 2010 by Israelis Shalev Hulio and Omri Lavie, NSO Group is based in the Israeli hi-tech hub of Herzliya, near Tel Aviv. It says it employs hundreds of people in Israel and around the world.
– with AFP