Data Security Officer
TL;DR
  • A bombshell report from The Guardian alleges that governments around the world could be misusing a popular type of spy software.
  • To gain access to the software, government agencies need to agree to only use it for criminal and terrorism investigations. The report suggests some governments are not keeping that promise.
  • The Guardian headed up the investigation with 16 other media entities, including human rights watchdog Amnesty International.

Over the weekend, The Guardian published an exposé titled, “Revealed: Leak uncovers global abuse of cyber-surveillance weapon.” In the report, the publication used a leaked list of over 50,000 phone numbers to build a case that governments around the world are misusing a spy software suite from an Israeli company called NSO Group. The software is called Pegasus.

Using Pegasus, government agencies can secretly monitor mobile phones, including iPhones and Android phones. The spyware can monitor messages, calls, photos, and even remotely activate the microphone.

The Guardian — along with 16 other media entities, including Amnesty International — concluded that the majority of numbers on that leaked list are not connected to people who have any obvious criminal history or association with criminality. Instead, they found the list filled with journalists, business executives, religious leaders, academics, and union officials. There were also government leaders on the list, including cabinet ministers, prime ministers, and presidents.

See also: The best security apps for Android that aren’t antivirus apps

NSO Group claims that it thoroughly vets all of its Pegasus customers, which are exclusively associated with law enforcement agencies. It does this to ensure the spy software is only used to apprehend criminals and terrorists. Each customer must sign a contract stipulating they won’t use the software for nefarious purposes. Additionally, the Israeli government closely monitors NSO Group to ensure everything is on the level.

NSO Group does not operate Pegasus for its clients. Instead, it creates the spy software and then sells it. The Guardian‘s report alleges that governments are agreeing to abide by NSO Group’s rules, but then using Pegasus for other means, specifically monitoring non-criminals.

What does this leaked spy software list mean?

The list of over 50,000 phone numbers does not mean every phone attached to that number is infected with Pegasus. Instead, inclusion on the list means that a Pegasus client attempted to access that phone or it is associated with a Pegasus investigation. Which category a number falls under is impossible to determine without checking the phones themselves.

The Guardian did just that. It was able to locate 67 phones with numbers on the list. Of those 67 phones, 37 of them had Pegasus code. Obviously, that is a very small sample size, but an infection rate of over 50% is not encouraging.

Related: Is selling your privacy for a cheaper phone really a good idea?

An analysis of all this data suggests that government agencies in 10 countries allegedly misused Pegasus: Azerbaijan, Bahrain, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, Hungary, India, and the United Arab Emirates (UAE). Of those 10 countries, the investigation suggests that Mexico had the most related numbers — around 15,000. Several countries flat-out denied the allegations, but others simply declined to comment to The Guardian.

Pegasus can be installed on a remote device through vulnerabilities in popular apps, such as WhatsApp and iMessage. Conversely, an agency could provide a user with a malicious link. A tap of that link would install Pegasus in the background. It is very unlikely a user would know the spy software is on their device.