WhatsApp identifies dozens of users hacked by Paragon spyware company
The World
Updated on
WhatsApp — which millions of people use for text messaging and voice and video calls — boasts of its end-to-end encryption, giving users privacy and peace of mind. But on Friday, Meta, the owner of both WhatsApp and Facebook, notified around 90 users to tell them that their phones had been hacked.
Malware sold by a company called Paragon Solutions was used to get into those devices. Paragon Solutions, like Pegasus before it, is an Israeli spyware company. The victims of the hack are reported to include journalists and members of civil society.
The World’s Host, Marco Werman, spoke with John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto in Canada, about the continuing threat of sophisticated spyware and Meta’s response to the latest hacking incident.
Marco Werman: Meta said the phones of around 90 people were affected. How did they know that?
John Scott-Railton: One of the good things about being a large platform is that you can sometimes track hacking against your users. Big platforms that are used by many people, like WhatsApp, are common targets for sophisticated hacking groups, both because they want to know what people are talking about and because they can be used as a route to infect the phone that the app is installed on.
What can you tell us about the Paragon software and how it actually works?
Your listeners may be familiar with names like Pegasus and other kinds of what we call mercenary spyware. Paragon fits into that same category. They’re a company that sells, they say, exclusively to governments. And according to their marketing materials and what they’ve said before, they pride themselves on being hard-to-find and very “light touch.” The key thing to know about this kind of company is that they’re selling what we call zero-click hacking. What that means is that one minute, your phone in your pocket is yours with all of your private data — your external brain — and the next minute, it is infected with this spyware silently streaming data back to whoever is operating it. It’s a pretty terrifying thing because there’s no mistake you, as a user, can make, no link to click on, attachment to open, deception to fall for. You’re simply private one minute and your device is penetrated the next.
How widespread are these kinds of spyware attacks?
Unfortunately, wherever we, as researchers, scratch, we tend to find [these attacks]. And what we’re happy about is when companies like WhatsApp really dig and try to find this kind of targeting across their platform and notify users. But what’s critically important is that the platforms investigate and then take action to blunt the attacks. That’s what WhatsApp has done. Not only did they introduce some tactical measures that dismantled this particular, we would say, vector of attack, but they also notified users, which we think is a critical piece of the puzzle because it means that there can start being accountability around this kind of abuse, this kind of targeting.
Does WhatsApp routinely monitor and alert users that they may have been spied on or hacked?
So, the first case that some people may remember is back in 2019, NSO Group, which makes Pegasus, targeted about 1,400 WhatsApp users across WhatsApp in a sort of similar kind of attack, something that users wouldn’t have necessarily had a link to click on or seen very much. WhatsApp not only went ahead and notified those users, but they actually sued NSO Group in US court. And, as of today, they have prevailed in that case, which is pretty remarkable.
As somebody who’s worked on this kind of issue for a long time, we think it’s great when platforms really investigate and look for evidence of this kind of sophisticated hacking. They find the groups, they see who they’re targeting, and then they notify and they put their shoulder behind the effort to hold these groups accountable. Otherwise, you and me, as users, there’s not much guidance I can give you. If this stuff is going to target you, there’s very little that you as a user can do to protect yourself, which is why the protections have to come through consequences, through legal consequences, in some cases through sanctions and other mechanisms to really pump the brakes on the proliferation of this technology, which is extremely widespread to governments around the world.
As somebody who’s worked on this kind of issue for a long time, we think it’s great when platforms really investigate and look for evidence of this kind of sophisticated hacking. They find the groups, they see who they’re targeting, and then they notify and they put their shoulder behind the effort to hold these groups accountable. Otherwise, you and me, as users, there’s not much guidance I can give you. If this stuff is going to target you, there’s very little that you as a user can do to protect yourself, which is why the protections have to come through consequences, through legal consequences, in some cases through sanctions and other mechanisms to really pump the brakes on the proliferation of this technology, which is extremely widespread to governments around the world.
You’ve mentioned the Israeli firm NSO Group and Pegasus spyware a couple of times. Is Pegasus still being sold to customers?
Pegasus spyware is still a thing. In the past couple of years, the previous Trump administration and the Biden administration realized that mercenary spyware was an issue for them. And it was an issue for US national security because, not only are these companies whose business model is hacking American platforms, that is their business model, but their stuff is also used against US government personnel, American citizens and American allies. And this shows just how serious this problem is. It’s not something that’s just faced by journalists and human rights defenders and other truth tellers. It’s something that cuts right to the heart of every government’s cybersecurity. And to me, it remains astonishing that more muscular measures are not taken against the companies who make a business of hacking American companies and, in many cases, facilitating the hacking of Americans.
Yeah so, if the companies say misuse of their products is not their fault and if the countries that regulate them do not stop it, who can protect the privacy of our mobile phones?
In fact, we have good evidence for a pathway that works. So, the previous administration unveiled some sanctions, they did an executive order on commercial spyware, there were some visa bans. And that seems to have freaked out the mercenary spyware ecosystem. It led to a lot of changes, a bunch of companies became insolvent, some others closed shop and it was a big disruption. And so, I think what we are hoping to see is, both that the US continues based on what it knows about what to do, but also that other governments really lean in to try to combat this problem. Because if they don’t, the future that we’re in is every government hacking everybody all the time. And that just does not contribute to anybody’s idea of our collective security.
This interview has been lightly edited and condensed for clarity.
Sign up for our daily newsletter