How spyware Pegasus used WhatsApp servers to infect phones and steal data

Pegasus has been around for three years and is considered one of the most sophisticated spyware in the market

What: On October 29, US-based messaging platform WhatsApp dragged to court the NSO Group, an Israeli cyber-intelligence technology firm. In the first lawsuit of its kind, the social media giant has alleged that the NSO Group’s highly sophisticated spyware, Pegasus, infected 1,400 phones in 20 countries, including those of more than 100 human rights activists and journalists.

In India, Chhattisgarh-based activist Shalini Gera, Nagpur-based lawyer Nihalsing Rathod, Adivasi rights activist Bela Bhatia, academic on Dalit issues Anand Teltumbde and former BBC journalist Shubhranshu Choudhary were among those targeted. Pegasus gained access to their devices through missing WhatsApp video calls. Thereon it managed to receive and share with the attackers personal files such as messages, photos and contacts for a 14-day period starting April this year. 

How: Pegasus, which is capable of attacking both Android and iOS, has been around for three years and is considered one of the most sophisticated spyware in the market. It begins work after the user clicks on the infected link sent by the attacker. After an installation process that requires no permission from the user, the spyware begins to contact the phone’s control servers, allowing it to gather data from the infected device. Looking to steal passwords, contacts, messages, calendar information and other private data, Pegasus also has the ability to hack the phone’s camera, microphone and GPS location. 

This time, the spyware attacked a vulnerability in the WhatsApp VoIP (Voice Over Internet Protocol), which is used to make video and audio calls. WhatsApp discovered cyber-attacks on its systems in May and rolled out various fixes and updates. With the help of The Citizen Lab at the University of Toronto, a six-month-long investigation led to the discovery of Pegasus.

According to reports, The Citizen Lab then contacted the suspected targets and warned them that their devices might have been compromised. But most users did not take it seriously. Eventually, WhatsApp contacted these users through a verified account. About 40 people in India, most of whom are academics, journalists and activists, have since been identified as victims of this cyberattack.

Now: After WhatsApp moved court, the NSO Group released a statement saying, “In the strongest possible terms, we dispute today's allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.” 

Pegasus, meanwhile, has kicked up a storm on Twitter, with Twitteratis questioning the involvement of the Indian government. Nishant Sinha, a Congress worker in Bihar, tweeted, “It’s time for WhatsApp to introduce a 3rd tick. To show that the government has read your message.” The fact that so many of the targeted users are lawyers and activists who are in some way associated with the Bhima Koregaon and Elgar Parishad cases has also raised eyebrows.  

Why: According to Amnesty International, Pegasus has been targeting journalists in Mexico, Saudi dissidents and Amnesty’s own researchers since 2017. While it is still not clear if any of India’s government agencies sought the services of the NSO Group, Information Technology Minister Ravi Shankar Prasad has said that the government has asked WhatsApp to “explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens”. Meanwhile, WhatsApp users are scrambling to install the latest versions of their phones’ operating systems and of the app as this is the only cited preventive measure against Pegasus.