Military-grade spyware found on the phones of journalists, activists

The NSO Group’s software can infect a smartphone without the user doing anything at all.

NOVOSIBIRSK, RUSSIA - APRIL 21, 2021: Supporters of Russian opposition activist Alexei Navalny hold ...
Kirill Kukhmar/TASS/Getty Images

A damning new report produced by The Washington Post and several other outlets reveals that military-grade spyware intended for preventing terrorism has been found on the smartphones of journalists around the world. The software, called Pegasus, is made by an Israeli firm called the NSO Group.

The Post was able to learn the information based on a leaked list of cell phone numbers that were entered into the Pegasus software. On the list include at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials. Not exactly terrorists.

Tracking adversaries — NSO has long said that its software is licensed only to vetted governments, and that it requires that Pegasus be used only for the purposes of national security. But reports over the years have found the software installed on the smartphones of civilians who may be antagonistic to their governments.

Among those civilians targeted using Pegasus include two women close to slain journalism Jamal Khashoggi, a staunch critic of the Saudi Arabian government. Their phones were found infected in the days after his murder by a Saudi hit team; his wife was similarly targeted with Pegasus in the months prior to his killing. Saudi Arabia is a client of the NSO Group.

No regulation — Pegasus is insidious because it manages to evade security measures put in place by the likes of Apple and Google. Targets of surveillance need only receive a text message to have their phones infected — and they don’t even need to open the message. Once inside, Pegasus can capture any information on a phone and even turn on the camera or microphone for real-time surveillance.

Apple said in a statement that it’s constantly working to combat this type of software. But in the past when the nature of Pegasus was detailed in stories, the NSO Group was able to change its intrusion methods “within hours.”

There’s effectively no regulation over the trade of spyware, and even though it publicly condemns abuse of its software, NSO Group admitted in a statement to the Post that it “does not have insight into... the activities of its customers.” The concern is that widespread use of spyware could threaten democracy, because journalists couldn’t gather information without endangering sources, and opposition politicians would have their every move anticipated by those in power.

Spyware could also be used for intimidation. It’s been alleged that the hacking of Jeff Bezos’s phone was conducted by the Saudis using Pegasus. Bezos owns the Post, where Khashoggi worked and used his platform to advocate for human rights reforms in Saudi Arabia.

The FBI reportedly began investigating NSO Group last year and whether its software has been used to spy on Americans.

It’s not at all surprising that less scrupulous governments would repurpose military-grade spyware to advance their own agendas and hold onto power. But NSO Group has no real incentive to end its relationships with clients, and these types of misuses will surely continue to occur so long as there’s money to be made exploiting vulnerabilities in mobile operating systems.