On Thursday, as many as 17 Indian cases of activists, lawyers and scholars being spied on by a sophisticated Israeli software program emerged. They had been targeted using the popular WhatsApp messaging platform, with the app compromised to deliver a state-of-the-art spying software called Pegasus.
How was this done, what does it mean for Indian politics and who did it? This explainer breaks down this story that could change how Indians view their phones.
How were the phones hacked?
In August 25, 2016 Ahmed Mansoor, a human rights activist from the United Arab Emirates, received a strange text message from a number he did not recognise on his smartphone.
Mansoor flagged the message to Citizen Lab, a Canadian digital rights watchdog. This chance event led to the discovery of one of the most powerful snooping software currently in existence.
Called Pegasus, the program downloads itself onto a phone using either a malicious URL or a redirected website. Since May, however, it has emerged that Pegasus can also worm its way into a phone via only missed calls on the messaging app WhatsApp. This means that a user who has WhatsApp installed has no way to prevent their device from being compromised should she become a target.
Pegasus is owned by an Israeli firm called NSO, which is currently being sued in the United States by WhatsApp. In a statement, NSO has argued that it is not to blame since it only sells Pegasus to “government intelligence and law enforcement agencies to help them fight terrorism and serious crime” rather than “for use against human rights activists and journalists”.
What can Pegasus do?
What can’t it do would be an easier question to answer. Once on a phone, the spyware has the run of the place. It can intercept every call and SMS, read every email and monitor each messaging app. Pegasus can also control the phone’s camera and microphone and has access to the device’s location data. The app advertises that it can carry out “file retrieval”, which means it could access any document that a target might have stored on their phone.
When Pegasus was discovered in 2016, its capabilities were so advanced, security experts couldn’t help but marvel at it, even as they feared what it could be used for. Talking to American website, Vice, mobile security expert Mike Murray called it “one of the most sophisticated pieces of cyberespionage software we’ve ever seen”. The software is so powerful that the Israeli government classifies it as a weapon.
Mansoor’s curiosity was simply dumb luck that led to the spyware getting discovered. There’s a good chance most Pegasus attacks will never be detected. In one interview to Defence News, as quoted in the BBC, the secretive NSO Group’s co-founder, Omri Lavie, said their attacks would “leave no trace”.
How has Pegasus been used?
Pegasus has been used across the world against dissidents, human rights activists and journalists. WhatsApp has found that 1,400 people around the world fell victim to Pegasus using just one of its delivery methods: missed WhatsApp calls. Of those, 100 are members of “civil society” as per WhatsApp’s statement, calling it an “unmistakable pattern of abuse”.
A Financial Times investigation has found that dissidents in Rwanda had been spied upon, including a journalist in exile, a human rights activist a senior opposition party member in exile and a former army officer who testified against the government in a French court. The Financial Times report went on to say that this was part of a pattern in how Paul Kagame, the Rawandan president for the past two decades ran the country.
Much the same pattern was found in India, with the target being activists, lawyers and scholars who are critical of the Bharatiya Janata Party government. In many cases, Scroll.in found that the targets were connected to a commemoration of Dalit history that preceded violence between Dalits and Marathas at Bhima Koregaon in Maharashtra on January 1, 2018.
The government is prosecuting the organisers of the event claiming that they were connected to banned far-left groups – but has yet to produce evidence to back its claims.
Should you stop using WhatsApp?
No, that won’t entirely help.
The glitch that allowed Pegasus to worm its way into a phone using a WhatsApp missed call has been patched up. But in the event that Pegasus had already been installed on to a phone before that, not only WhatsApp, every app and function on the device is compromised. The only way to fix it it to replace the handset itself.
Moreover, this is just one delivery method that has been detected. There are several more vulnerabilities, not just in WhatsApp, but also Telegram, another encrypted messaging service.
WhatsApp was probably selected by Pegasus to enter phones because it is widely popular, used by nearly a fourth of the planet. There is no guarantee other apps are not currently compromised or will not be in the future.
Who did this in India?
Given that NSO claims it only sells to governments and the fact that it is mostly critics of the ruling dispensation who have been targeted, some people have alleged that it is the Indian government that was behind the snooping.
In response, the Union minister of Information Technology Minister Ravi Shankar Prasad alleged that the Indian government under the United Progressive Alliance had spied on the then chief of the Indian Army as well as the Union Finance Minister. The Union government has also written to WhatsApp, asking it to respond to reports about the security breach.