It is learnt that at least two dozen academics, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019.

The disclosure follows a lawsuit filed Tuesday in a US federal court in San Francisco in which WhatsApp alleged that the Israeli NSO Group targeted some 1,400 WhatsApp users with Pegasus.

Facebook-owned platform WhatsApp, in a startling revelation, has said journalists and human rights activists in India have been targets of surveillance by operators using Israeli spyware Pegasus.

The disclosure follows a lawsuit filed Tuesday in a US federal court in San Francisco in which WhatsApp alleged that the Israeli NSO Group targeted some 1,400 WhatsApp users with Pegasus.

While WhatsApp declined to reveal the identities and “exact number” of those targeted for surveillance in India, its spokesperson told The Indian Express that WhatsApp was aware of those targeted and had contacted each one of them.

“Indian journalists and human rights activists have been the target of surveillance and while I cannot reveal their identities and the exact number, I can say that it is not an insignificant number,” a WhatsApp spokesperson said.

It is learnt that at least two dozen academics, lawyers, Dalit activists and journalists in India were contacted and alerted by WhatsApp that their phones had been under state-of-the-art surveillance for a two-week period until May 2019.

The Pegasus Method

To monitor a target, a Pegasus operator must convince a target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission. Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control servers to receive and execute operator commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps. The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity. In the latest vulnerability, the subject of the lawsuit, clicking the ‘exploit link’ may also not be required and a missed video call on WhatsApp will have enabled opening up the phone, without a response from the target at all.

In the lawsuit against the NSO Group and Q Cyber Technologies, WhatsApp alleged that the companies violated US and California laws as well as WhatsApp’s terms of service which prohibit this type of abuse. It claimed that smartphones were penetrated through missed calls alone.

“We believe this attack targeted at least 100 members of civil society which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward,” it said.

The NSO Group, in a statement, said: “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists.” After doubts about this technology were first raised in May, the NSO Group said it put in place a ‘Human Rights Policy’ on September 19 which “further embeds human rights protections throughout our business and governance systems”.

The NSO Group claims Pegasus has been sold only to government agencies. “We license our product only to vetted and legitimate government agencies,” it said.

Emails, phone calls and text messages to Home Secretary A K Bhalla and Electronics and Information Technology Secretary A P Sawhney for comments went unanswered.

In September 2018, Canada-based cyber security group Citizen Lab said: “We found suspected NSO Pegasus infections associated with 33 of the 36 Pegasus operators we identified in 45 countries” including India. The 2018 report goes on to point to an India link active from June 2017 to September 2018. “We identified five operators that we believe are focusing on Asia. One operator, Ganges, used a politically themed domain.”

Citizen Lab was approached by Arab human rights activists who suspected they were under surveillance.

Incidentally, the NSO Group terminated its agreement with Saudi Arabia following the killing of journalist Jamal Khashoggi and emergence of links suggesting its spyware played a role in the tracking of Khashoggi before he was killed in his country’s consulate in Istanbul.

Sources at WhatsApp said while messages going to and fro on their platform are encrypted and secure, the problem starts when a malware compromises the device itself, making it very vulnerable to breach of privacy, often endangering freedoms and sometimes lives.

To monitor a target, a Pegasus operator must convince the target to click on a specially crafted ‘exploit link’ which allows the operator to penetrate security features on the phone and installs Pegasus without the user’s knowledge or permission.

Once the phone is exploited and Pegasus installed, it begins contacting the operator’s command and control servers to receive and execute operator commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity. In the latest vulnerability, the subject of the lawsuit, clicking the ‘exploit link’ may also not be required and a missed video call on WhatsApp will have enabled opening up the phone, without a response from the target at all.