New Delhi: WhatsApp has confirmed that an Israeli spyware – Pegasus – was used to spy on Indians in the run-up to the 2019 Lok Sabha elections. At least two dozen academics, human rights activists, lawyers and journalists were reportedly told by WhatsApp that their phones had been under surveillance for a two-week period in May.
According to the Indian Express, which broke the news, the Facebook-owned platform has not revealed the exact number or names of those targeted. WhatsApp’s revelation comes after the company sued an Israeli firm for “helping” spies hack into people’s phones. WhatsApp said in a statement that 100 civil society members had been targeted, and called it “an unmistakable pattern of abuse”.
The Israeli company – NSO Group – has denied the allegations. “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists,” the firm said in a statement.
“Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” a WhatsApp spokesperson told Indian Express.
Citizen Lab, a Canada-based cyber security organisation, had said in September 2018, “We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries.” It added that one operate, “Ganges, used a politically themed domain,” Indian Express reported.
Pegasus works by getting the targeted person to click on an ‘exploit link’, which allows the operator to go through security features and installs Pegasus on the phone without the owner’s knowledge or permission. The target’s private data, including passwords, contact lists, calendar events, text messages and live voice calls from popular mobile messaging apps, can then be accessed. It’s also possible turn on the phone’s camera or voice recording software.
According to the Indian Express, the latest vulnerabilities reported in the lawsuit indicate that it may not even be necessary to click on the link – just a missed video call might be enough.