On Tuesday, May 14, the Financial Times first reported that Israeli hackers had infiltrated WhatsApp though a spyware. WhatsApp’s 1.5 billion users may have been impacted, as its parent company, Facebook, is now urging users to install an update that removes the virus.
The hackers were able to use code developed by a secret Israeli company, the NSO Group, and transfer it to unsuspecting WhatsApp users through a dropped phone call.
These malicious calls did not always appear on users’ call logs, says the Financial Times.
Both iPhone and Android handsets were at risk. Although there is no official figure of the people impacted by this hack, WhatsApp is now pushing out an update that patches up this security issue for all of its 1.5 billion users.
WhatsApp said the worldwide update stems “out of an abundance of caution”. Citizen Lab, a Canadian research group, has also recommended installing the update.
“WhatsApp has just pushed out updates to close a vulnerability. We believe an attacker tried (and was blocked by WhatsApp) to exploit it as recently as yesterday to target a human rights lawyer. Now is a great time to update your WhatsApp software,” tweeted Citizen Lab on May 14.
How WhatsApp’s spyware works
The NSO’s principal programme is called Pegasus, and it can scan a phone’s messages, emails, and location data. Pegasus can also turn on the phone’s camera and microphone remotely.
The Financial Times says the NSO advertises Pegasus to countries in the West and Middle East as a surveillance tool against terrorism and cyber crime. The company added that it only works with lawful agencies.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the NSO told the Financial Times.
Who was impacted?
One of the WhatsApp users impacted by the hack was a UK-based lawyer who declined to be identified. This lawyer has helped journalists and dissidents in Mexico and a government critic in Saudi Arabia, who has now relocated to Canada, sue the NSO.
A spokesperson for WhatsApp said that the attack had the markings of a “private company working with governments on surveillance”.
Other human rights lawyers have also been approached by people posing as clients or donors who want confidential information on cases.
Another lawyer Alaa Mahajne told Financial Times, “It’s upsetting but not surprising that my team has been targeted with the very technology that we are raising concerns about in our lawsuits.”
NDTV reports that NSO is being sued for damages related to programmes like Pegasus in Israel and Cyprus.
Amnesty International also spoke to the Financial Times who said that NSO is known for selling its technology to groups that pile up human rights violations and invade the privacy of activists and lawyers, seeking to hold them accountable.
NSO denied these accusations but is still investigating the hack.
“NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer],” it said to the Financial Times.
Security concerns with Facebook
Political interference on digital channels like WhatsApp and Facebook are increasing becoming a common concern.
In 2016, the US presidential election was rife with accusations of foreign interference by Russia, who allegedly used social media platforms in favour of Trump.
The Mueller Report compiled by US special counsel Robert Mueller found that there were instances of hacking by Russian operatives who tried to sway the American election through ads and posts on Facebook.
Facebook has also been embroiled in privacy and security-related issues before. In one of the most massive data breaches yet, Facebook users’ public information was mined by a British firm, Cambridge Analytica, who might have used it for propaganda during the 2016 US presidential election.
Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg addressed the breach in a statement saying, “People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked.”
Just last week, Zuckerberg spoke about Facebook’s new push towards being more privacy-focused. He announced that the company as a whole will be restructuring to ensure a more user-centric experience that gives people the chance to increase their privacy.
Zuckerberg said, “For the last 15 years, we’ve built Facebook and Instagram into digital equivalents of the town square, where you can interact with lots of people at once. Now, we’re focused on building the digital equivalent of the living room, where you can interact in all the ways you’d want privately—from messaging and stories to secure payments and more.”
The worm in Apple
Another major tech company, Apple, was also on the defensive after users reported a major security breach.
After updating FaceTime and using the group-calling feature, users found that a call recipient’s video camera and microphone could be turned on even if they had not answered the call.
Apple disabled this new group-calling feature and said, “We’re aware of this issue and have identified a fix that will be released in a software update later this week.”
The story here at home
In the aftermath of these incidents, India has taken its own precautions related to social media, especially during the Lok Sabha elections 2019.
The Election Commission created a social media code of ethics in conjunction with Facebook, WhatsApp, Google, Twitter, ShareChat, and TikTok where these platforms will work with the EC to ensure no user spreads false news and no candidates or parties violate the model code of conduct during the elections.
Rhea Arora is a Staff Writer at Qrius.