WhatsApp voice calls used to inject Israeli spyware on phones
https://www.ft.com/content/4da1117e-756c-11e9-be7d-6d846537acab


A vulnerability in the messaging app WhatsApp has allowed attackers to inject commercial Israeli spyware on to phones, the company and a spyware technology dealer said.

WhatsApp, which is used by 1.5bn people worldwide, discovered in early May that attackers were able to install surveillance software on to both iPhones and Android phones by ringing up targets using the app’s phone call function. 

The malicious code, developed by the secretive Israeli company NSO Group, could be transmitted even if users did not answer their phones, and the calls often disappeared from call logs, said the spyware dealer, who was recently briefed on the WhatsApp hack.

WhatsApp, which is owned by Facebook, is too early into its own investigations of the vulnerability to estimate how many phones were targeted using this method, said a person familiar with the issue.

As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. 

Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch.

NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data.

NSO advertises its products to Middle Eastern and western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. NSO was recently valued at $1bn in a leveraged buyout that involved the UK private equity fund Novalpina Capital.

In the past, human rights campaigners in the Middle East have received text messages over WhatsApp that contained links that would download Pegasus to their phones.

WhatsApp said teams of engineers had worked around the clock in San Francisco and London to close the vulnerability. It began rolling out a fix to its servers on Friday last week, WhatsApp said. All users should update to the latest version of WhatsApp, which was issued on Monday, the company said.

“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organisations to share the information we can, and to work with them to notify civil society.”

WhatsApp disclosed the issue to the US Department of Justice last week, according to a person familiar with the matter. A justice department spokesman declined to comment.

NSO said it had carefully vetted customers and investigated any abuse. Asked about the WhatsApp attacks, NSO said it was investigating the issue.

“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”

The UK lawyer, who declined to be identified, has helped a group of Mexican journalists and government critics and a Saudi dissident living in Canada sue NSO in Israel, alleging that the company shares liability for any abuse of its software by clients.

John Scott-Railton, a senior researcher at Citizen Lab, said the attack had failed. “We had a strong suspicion that the person’s phone was being targeted, so we observed the suspected attack, and confirmed that it did not result in infection,” said Mr Scott-Railton. “We believe that the measures that WhatsApp put in place in the last several days prevented the attacks from being successful.”

Other lawyers working on the cases have been approached by people pretending to be potential clients or donors, who then try and obtain information about the ongoing lawsuits, the Associated Press reported in February.

“It’s upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits,” said Alaa Mahajne, a Jerusalem-based lawyer who is handling lawsuits from the Mexican and Saudi citizens. “This desperate reaction to hamper our work and silence us itself shows how urgent the lawsuits are, as we can see that the abuses are continuing.”

On Tuesday, NSO will also face a legal challenge to its ability to export its software, which is regulated by the Israeli ministry of defence.

Amnesty International, which identified an attempt to hack into the phone of one its researchers, is backing a group of Israeli citizens and civil rights group in a filing in Tel Aviv asking the defence ministry to cancel NSO’s export licence. 

“NSO Group sells its products to governments who are known for outrageous human rights abuses, giving them the tools to track activists and critics. The attack on Amnesty International was the final straw,” said Danna Ingleton, deputy director of Amnesty Tech.

“The Israeli Ministry of Defence has ignored mounting evidence linking NSO Group to attacks on human rights defenders. As long as products like Pegasus are marketed without proper control and oversight, the rights and safety of Amnesty International’s staff and that of other activists, journalists and dissidents around the world is at risk.”

Additional reporting by Kadhim Shubber in Washington

This article has been amended since publication to note that WhatsApp is owned by Facebook

Related article, added details of abuses and murders linked to NSO Group

---

Modern Merchants of Death: Spyware and Human Rights

Arms manufacturers of old, and many of the current stable, did not care much where their products went. The profit incentive often came before the patriotic one, and led to such dark suspicions as those voiced by the Nye Committee in the 1930s. Known formally as the Special Committee on Investigation of the Munitions Industry, the US Senate Committee, chaired by US Senator Gerald Nye (R-ND) supplies a distant echo on the nature of armaments and their influence.

The Nye Committee had one pressing concern: that the United States might fall for the same mistake it did in 1917 in committing to a foreign conflict while fattening the pockets of arms manufacturers. As Chairman Senator Nye promised,

“When the Senate investigation is over, we shall see that war and preparation for war is not a matter of national honour and national defence, but a matter of profit for the few.”

Despite the current sophisticated state of modern weaponry, along with modern offshoots (cybertools, spyware, the use of malware), the principle of ubiquitous spread is still present. Companies in the business of developing malware and spyware, modern merchants of disruption and harm, face charges that their products are being used for ill, a nastiness finding its way to hungry security services keen to monitor dissent and target contrarians. While the scale of their damage may be less than those alleged by Nye’s Munitions Committee, the implications are there: products made are products used; the ethical code can be shelved.

The NSO Group, a tech outfit based in Herzliya, a stone’s throw from Tel Aviv, specialises in producing such invasive software tools as Pegasus. The reputation of Pegasus is considerable, supposedly able to access data on targeted phones including switching on their cameras and microphones.

NSO’s spyware merchandise has now attained a certain, viral notoriety. When Mexican investigative journalist Javier Valdez Cárdenas was butchered in broad daylight on a street in Culiacán, the capital of the Mexican state of Sinaloa, something reeked. The killing on May 15, 2017 had been designated a cartel hit, an initially plausible explanation given Valdez’s avid interest in prying into the affairs of organised crime in Sinaloa. But the smell went further. As Mexican media outlets reported in June 2017, the government of former president Enrique Peña Nieto had purchased the good merchandise of Pegasus. Three Mexican agencies had purchased spyware to the tune of $80 million since 2011.

Since then, Canadian research group Citizen Lab, in collaboration with Mexican digital rights outfit R3D and freedom of expression group Article 19, have made the case that the widow of the slain journalist, Griselda Triana, became a target of Pegasus spyware within 10 days of her husband’s death in 2017. According to the report, she was also targeted “a week after infection attempts against two of Valdez’s colleagues, Andrés Villareal and Ismael Bojórquez.” The group behind the infection attempts, named RECKLESS-1, is alleged to have links with the Mexican government.

Canadian-based Saudi dissident Omar Abdulaziz can also count himself amongst those targeted by Pegasus. In 2018, he claimed that his phone was tapped by NSO-made spyware, leading to a gruesome implication: that the Saudi authorities would have had access to hundreds of messages exchanged with the doomed Saudi journalist and fellow comrade-in-dissent Jamal Khashoggi.

In December, a suit was filed in Israel by Abdulaziz’s representatives Alaa Mahajna and Mazen Masri, alleging that the NSO Group had hacked his phone in the service of Riyadh. In court papers, it was alleged that the dissident was harangued by the same individuals behind Khashoggi’s murder, insisting that he pack his bags and return to Saudi Arabia.

Buried in the court documentation was the receipt of a text message purportedly tracking the shipment of a package; instead, it masked a link to the NSO Group. Once clicked, the link installed the spyware, turning the phone into an effective agent of surveillance. Soon after this took place, Abdulaziz’s family home in Jidda was raided by Saudi security forces. Two brothers were subsequently detained.

Last January, Maariv, an Israeli daily, investigated reports about telephone spyware supposedly used to bug the phone of the murdered Khashoggi. Khashoggi’s ending at the Saudi embassy in Istanbul, facilitated by a death squad, was not handiwork NSO wanted to be associated with. The group had been, according to a statement in December, “licensed for the sole use of providing governments and law enforcement agencies the ability to lawfully fight terrorism and crime”. Misuse of products would lead to investigation and, depending on appropriate findings, a suspension or termination of the contract.

Shalev Hulio, the company’s CEO, was clear to emphasise his humanity, before distancing himself and his company from the killing.

“As a human being and as an Israeli, what happened to Khashoggi was a shocking murder.”

Hulio was also adamant that:

"Khashoggi was not targeted by any NSO product or technology, including listening, monitoring, location tracking and intelligence collection.”

Could such precise denials be inadvertent confessions?

The cooperative umbrella for Israel is broadening. It seeks allies, or at least some form of accommodation with regional powers, to counter common enemies. With Saudi Arabia and the United Arab Emirates, one common foe remains a constant: Iran. The Israeli state’s licensing of such companies as the NSO Group implicates the policy of permitting the distribution of Pegasus and such products. License their use; license their consequences. Molly Malekar, of Amnesty International’s Israeli office, puts it simply:

“By continuing to approve of NSO Group, the Ministry of Defence is practically admitting to knowingly cooperating with NSO Group as their software is used to commit human rights abuses.”

Monitoring and killing dissidents and intrepid journalists tend to be nasty by-products. They, in a sense, have become the modern merchants of death, whose clients remain unsavoury regimes.

Source: https://www.globalresearch.ca/modern-merchants-of-death-spyware-and-human-rights/5677491

"israeli" spyware, hey? I did suspect "israel" created a lot of malware...