WhatsApp had alerted at least 24 Dalit activists, lawyers, academics and journalists in India that their phones are under surveillance for a two-week period in May 2019. The sole objective of NSO is to provide technology to licenced government intelligence and law enforcement agencies to help them fight terrorism and serious crime.
Though WhatsApp had fixed the vulnerability in May itself, an internal investigation conducted over the last few months revealed that the spyware was targeted at over 1,400 people, including diplomats, political dissidents, journalists, and government officials. Scroll.in has so far confirmed the identities of 14 of the targeted individuals.
WhatsApp spokesperson Carl Woog told The Indian Express newspaper that a "not insignificant number" of India journalists and human rights activists were targeted in the breach, each of which have been informed that their security and privacy were compromised.
If anything, the development is another reminder that technology companies should never be required to intentionally weaken their security systems via backdoors.
NSO Group has countered that it does not allow its software to be used for any illegal surveillance and only sells its tools to legit governments and agencies that investigate terrorism and crime.
In response, NSO said: "In the strongest possible terms, we dispute today's allegations and will vigorously fight them".
In addition to the stunning revelations that have come to light, Citizen Lab, a multidisciplinary research group at the University of Toronto, had in September 2018 identified India among 45 countries where Pegasus was operational.
"We identified five operators that we believe are focusing on Asia".
All three lawyers have been active in human rights related legal work (which is sometimes described as "activism"), as well as notably the controversial Bhima Koregaon case: Rathod represented the accused Surendra Gadling, and Gera and Grewal had acted for defendant Sudha Bharadwaj (who also happens to be a lawyer).
WhatsApp has not shared details of the agencies that used the spyware to target users.
NSO, according to WhatsApp, got into people's phones via Pegasus, its "flagship" spyware.
The Citizen Lab notes that Pegasus has used other ways in the past to infiltrate a target's device, like getting the target to click on a link using social engineering or using fake package notifications to deploy the spyware. The spyware then could contact the operator's command and control servers to receive and execute operator commands, and send back the target's private information, including passwords, contact lists, text messages, and live voice calls from popular mobile messaging apps.
One version of the attack didn't even require an "exploit link", but instead gained access through a vulnerability via a missed video call on the target phone.
WhatsApp had first been tipped off to the attack by suspicious calls, but because of its privacy and data-retention rules, it had no idea whose numbers they were.
The operator can even remotely turn on the phone's camera and microphone to capture the user's activity and vicinity.