WhatsApp snoopgate! Indian journalists, human rights activists targeted in spyware attack

Facebook-owned WhatsApp has accused Israel-based NSO Group of using spyware to snoop on academics, lawyers, journalists and human rights activists in various countries, including India. In a lawsuit filed in a US federal court, WhatsApp alleged that NSO Group used spyware called 'Pegasus' to target over 1,400 WhatsApp users, a few of them in India. As per WhatsApp, the spyware targeted victims by giving missed calls on their mobile phones.

WhatsApp attributed the attack to NSO Group and its parent company Q Cyber Technologies. The complaint alleges they violated both US and California laws as well as WhatsApp Terms of Service.

Also read: WhatsApp update: What is the upcoming self-destruction feature?

It said the attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power mobile phones. "WhatsApp cares deeply about the privacy and security of our users... which is why we provide end-to-end encryption for all messages and calls by default," said the company, adding it's the first time it had taken a legal action against a private entity who had carried out this type of attack.

WhatsApp said an NSO employee had even acknowledged that the company's steps to remediate the attack were "effective". "We are seeking a permanent injunction banning NSO from using our service," said WhatsApp.

Also read: Is Google preparing to fight Facebook's WhatsApp with RCS messaging

Meanwhile, the number of victims in India was not high, WhatsApp India told The Indian Express, adding that it also contacted each of the victims -- which included academics, lawyers, Dalit activists and journalists -- of the spyware in India.

The company said it sent special WhatsApp messages to approximately 1,400 users who might have been affected by the attack. The issue had come to the fore after cybersecurity experts at the Citizen Lab, an academic research group based at the University of Toronto's Munk School, studied the impact of this attack.

As per India Today sources, Israeli firm NSO a few years ago had tried to sell the spyware to Central Police Organisation, which comes under the Ministry of Home Affairs. In their sales pitch, the NSO had claimed to have sold the product to country's premier intelligence agencies. The Pegasus spyware costs over Rs 180-200 crore, and hence can only be procured by government agencies.

Also read: New WhatsApp features for Android, iOS to include Dark Mode, self-destructing messages

How spyware 'Pegasus' works

• It sends a specially crafted 'exploit link' to its targets
• Once the user clicks on the link, it penetrates security features of the device
• In some cases, users get a miss call. They don't even need to click the 'exploit link'
• Then it installs the malware Pegasus without the user's consent
• Once installed, it takes control of the server to keep a track of all data, including voice calls, private data, passwords, contact list
• The details are sent back to the operator whenever required
• The spyware can even turn on the user's mobile phone camera without his/her knowledge

Edited by Manoj Sharma