The company allegedly at the centre of a spyware attack using a vulnerability in WhatsApp’s security features has previously been flagged as being linked to spyware infections in South Africa.
A 2018 report titled ‘Hide and Seek’ published by The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto in Canada, which helped to uncover the recent WhatsApp breach, identified 45 countries — including South Africa and other African nations — with suspected Pegasus spyware infections.
Pegasus — a tool that can turn on a phone’s microphone and camera, allowing an attacker to monitor a target’s calls, emails and contacts — was developed by Israeli technology firm NSO Group, thought to be responsible for the surveillance software installed on an unknown number of smartphones using a loophole in WhatsApp’s security features.
Suspected Pegasus infections were also identified in Algeria, Cote d’Ivoire, Egypt, Kenya, Libya, Morocco, Rwanda, Togo, Tunisia, Uganda and Zambia.
At the time of the report’s publication, NSO Group said in a statement to Citizen Lab: “Our product is licensed to government and law enforcement agencies for the sole purpose of investigating and preventing crime and terror.
Our business is conducted in strict compliance with applicable export control laws.” It added that there are “multiple problems” with the Citizen Lab report, and that the list of 45 countries is inaccurate.
On Tuesday, the Financial Times reported that WhatsApp had discovered a vulnerability that allowed spyware to be installed into a user’s phone through the messaging app’s phone call function.
WhatsApp, which is used by 1.5-billion people, is owned by Facebook, which has come under fire in recent years for its own porous privacy policies.
According to the Financial Times report WhatsApp discovered the security flaw earlier this month.
The vulnerability reportedly enabled attackers to install surveillance software on smartphones by ringing up targets using the app’s phone call function.
The software was reportedly developed by the NSO Group which is facing legal action over Pegasus.
In August last year, The New York Times reported that the NSO group is at the centre of two lawsuits accusing the company of actively participating in illegal spying.
One lawsuit reportedly alleges that journalists and activists have been targeted by surveillance technology sold to the Mexican government by NSO.
The lawsuits also reportedly argue that an affiliate of the NSO Group attempted to spy on foreign government officials in the United Arab Emirates four years ago.
According to the New York Times article, the technology used by the NSO affiliate works by sending text messages to a target’s phone, hoping to bait the person into clicking on them. If the user does, Pegasus is secretly downloaded. It works on phones running Android, BlackBerry OS, and iOS operating software..
NSO has reportedly previously rebuffed claims that it actively enabled governments to spy on their citizens, repeatedly asserting that it merely sells the technology to governments which agree to deploy it exclusively against criminals.
On Tuesday, WhatsApp reportedly encouraged users to update to the latest version of the app, which was published on Monday.
According to the Financial Times, WhatsApp said in a statement: “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems. We have briefed a number of human rights organisations to share the information we can and to work with them to notify civil society.”
When asked about the WhatsApp attacks by the Financial Times, NSO reportedly said it was investigating the issue: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.”
South African surveillance researcher Murray Hunter reiterated the importance of updating applications as a measure to prevent spyware infections. But Hunter also emphasised the role of government in disclosing its hacking capabilities in getting to the bottom of the extent of spyware abuses.
Hunter told the Mail & Guardian that because of the secrecy around surveillance operations, South Africans “know very little” about the extent to which spyware is being used to unlawfully monitor their devices.
“In the South African context there is evidence that the government has hacking capabilities using spyware … But there is no law regulating how they would use those capabilities. They have never admitted to having those capabilities,” Hunter said on Tuesday.
“So the public is in a situation where we know that these things happen. We know that in other places they have been abused. We know that there are traces of foreign-made software in our networks. But we actually have no clarity on who is doing it, what guidelines they are governed by and what is spent on it.”
Hunter said that — though governments may justify the secrecy around surveillance operations by saying that they are very sensitive and a matter of national security — civil society is calling for basic disclosures about what the government can and cannot do “and the legacy of spying abuses in South Africa against whistleblowers, journalists and activists as well as the general public”.
He added that South Africans cannot rely on private companies to protect their data and so must call on government to do so.
“They [private companies] have a history of putting profit over privacy. That is essentially why they exist and firms like NSO have shown that they will sell their software to the most abusive and roguish states in the world,” Hunter said.
“So you can never trust them to do the right thing. And that is why we have to demand that governments like ours actually show citizens that they will do whatever is necessary to protect us.”