A WhatsApp spokesperson confirmed to TNM that Indian users were among those contacted by the company this week.

WhatsApp confirms Indian journalists activists were snooped on using Israeli spywareImage for representation
news Tech Thursday, October 31, 2019 - 15:08

WhatsApp’s Indian representatives have confirmed that a ‘not insignificant’ number of journalists and human rights activists in the country were targeted using spyware that infected its platform in May 2019. The confirmation comes a day after the messaging service owned by Facebook sued the NSO Group, an Israeli tech company, in an American federal court for using its platform for conducting surveillance. The US lawsuit said that malicious software named Pegasus, was designed and used to infect about 1,400 specifically-targeted devices. Notably, the NSO Group has described itself as providing 'authorized governments with technology that helps them combat terror and crime'. 

Multiple news reports on Thursday confirmed that those targeted in India included human rights activists arrested over their alleged involvement in the Bhima-Koregaon caste riots in January 2018. This includes Surendra Gadling, Nihal Singh Rathod, Bela Bhatia, Degree Prasad Chouhan and Anand Teltumbde whose representatives told the media that they had received messages from Citizen Lab regarding the attack.

A WhatsApp spokesperson confirmed to TNM that Indian users were among those contacted by the company this week. The story, first reported by Indian Express, reveals that these Indian users included ‘at least two dozen academics, lawyers, Dalit activists and journalists’ who were targeted for a two-week period. WhatsApp told the newspaper that each targeted person was contacted by the company. A company spokesperson further said that this was 'not an insignificant number', refusing to reveal details of those who were targeted. The NSO Group has denied these allegations.

Significantly, WhatsApp’s lawsuit against the NSO Group says that the spyware attack took place between April and May 2019. In India, this appears to have coincided with the General Elections.

What is Pegasus?

Pegasus or its variants are defined as spyware, covertly installed software that enable an attacker to intercept and extract data from a victim's device without their knowledge. Specifically, it is believed to be a remote access trojan (RAT), the kind that is downloaded without the user's explicit consent and designed to give complete control of the system (mobile phone or computer) to the attacker. Pegasus was reportedly designed to be remotely installed and enabled the remote access and control of information—including calls, messages, and location—on mobile devices using the Android, iOS, and BlackBerry operating systems. 

WhatsApp alleges that Pegasus was so sophisticated as an attack tool that it could be surreptitiously installed on a victim’s phone without the victim taking any action such as clicking a link or opening a message. Such remote installation meant that the victims could not detect and report their attack. According to a Washington Post op-ed written by WhatsApp chief Will Cathcart, the May 2019 attack saw the targeted user receive what appeared to be a legitimate video call. However, after the phone rang, “the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”

The India connect 

In addition to the stunning revelations that have come to light, Citizen Lab, a multidisciplinary research group at the University of Toronto, had in September 2018 identified India among 45 countries where Pegasus was operational. The academic group is helping WhatsApp identify targets of this attack who were members of civil society, such as human rights activists and journalists. 

A Citizen Lab report identified five Pegasus operators that they believe are focusing on Asia. "One operator, GANGES, used a politically themed domain signpetition[.]co." it said. GANGES, reportedly active from June 2017, was suspected to have infected users in India, Pakistan, Bangladesh, Brazil and Hong Kong.

In an appendix of temporary databases that the report identified in India, suspected infections for operator GANGES named mobile BHARTI Airtel Ltd (including its Telemedia Services and GPRS Service), Atria Convergence Technologies Ltd (popularly known as ACT), Mahanagar Telephone Nigam Limited (MTNL), National Internet Backbone, Hathway IP Over Cable Internet and Star Broadband Services.

Read: Explained: WhatsApp sues Israeli firm for allegedly using spyware to target journos, activists

Help us provide quality journalism. Become a TNM member today! Click here.