The story so far: Between May and September, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s Predator spyware sent via links on SMS and WhatsApp. Apple has since released an update for its products fixing the bug used in the attack. The attack on Mr. Eltantawy came after he publicly stated plans to run for President in the 2024 Egyptian elections, which is especially concerning since Egypt is a known customer of Cytrox’s Predator spyware, Citizen Lab said in a blog post.
Is this a first?
This was not the first time spyware was used for surveilling a political opponent in a country. In 2021, investigations under the Pegasus Project revealed the massive scale of potential targets of spyware — more than 50,000 phone numbers in 50 countries. Reports shared that victims of the spyware attacks were in India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the UAE. The Pegasus spyware was also reportedly used by the Kingdom of Saudi Arabia to target journalist Jamal Khashoggi’s wife months before his death. Mr. Khashoggi, a U.S. resident, was murdered at the Saudi consulate in Istanbul. He was a known critic of the Saudi Arabian Crown Prince Mohammed Bin Salman.
However, in almost all known cases authorities either chose to deny allegations of the use of spyware or have been non-committal in their response.
What is spyware?
Spyware is loosely defined as malicious software designed to enter a device, gather sensitive data, and forward it to a third party without the user’s consent. While spyware may be used for commercial purposes like advertising, malicious spyware is used to profit from data stolen from a victim’s device. Spyware is broadly categorised as trojan spyware, adware, tracking cookie, and system monitors. While each type of spyware gathers data for the author, system monitors and adware are more harmful as they may make modifications to a device’s software and expose the device to further threats.
What is commercial spyware?
Malicious spyware has been around since the 1990s. Earlier iterations of spyware were limited to being used by criminals to steal passwords or financial information. However, opportunities for governments and law enforcement agencies to use spyware as part of legal investigations led to the development of commercial spyware. Commercial spyware mainly targets mobile platforms and can legitimately be used against criminals and terrorists. However, the lack of global regulations for companies developing spyware has led to their use by authoritarian governments to spy on political opponents.
Commercial spyware, such as the Pegasus spyware from the NSO group, can reportedly not only mop up information from mobile devices but also turn on the camera and microphone without the owner’s knowledge, effectively turning handsets into a spying device.
How are the devices targeted?
Investigations by Citizen Lab and Google’s Threat Analysis Group (TAG) revealed that spyware on the former Egyptian MP’s device was delivered via network injection from a device located physically inside Egypt. The investigators, therefore, attribute the network injection attack to the Egyptian government with “high confidence”.
Mr. Eltantawy’s device was infected when he visited certain websites without ‘HTTPS’ from his phone using his Vodafone Egypt mobile data connection. When he visited these sites, his device was silently redirected to a website, that matches the fingerprint for Cytrox’s Predator spyware — this is where his device was injected with the spyware, Citizen Lab shared in a blog post. Further investigation revealed that Mr. Eltantawy received several SMS messages in September 2021, May 2023, and September 2023 that posed as messages originating from WhatsApp.
In India, the Pegasus spyware was part of a $2-billion “package of sophisticated weapons and intelligence gear” transaction between India and Israel after Narendra Modi became the first Indian Prime Minister to visit Israel, according to reports published in The New York Times. The spyware in India was used against at least 40 journalists, Cabinet Ministers, and holders of constitutional positions, according to reports in The Washington Post. The spyware was delivered to the victim’s phones by exploiting zero-day vulnerabilities, which means even the device manufacturer was unaware of these exploits.
And while in all these cases, malicious links were sent to the victim’s device, reports indicate that the spyware is capable of zero-click attacks. This means that they can infect a device without requiring users to click on a malicious attachment or link.
Is the use of spyware increasing?
Between 2011 and 2023, at least 74 governments contracted with commercial firms to obtain spyware or digital forensics technology, the Carnegie Endowment for International Peace, an independent international affairs think tank, shared in a blog post.
Autocratic regimes are more likely to purchase commercial spyware or digital forensics than democracies — 44 regimes classified as closed autocracies or electoral autocracies are known to have procured targeted surveillance technologies, the post said.
Earlier this year, an Indian defence agency was reportedly purchasing equipment from an Israeli spyware firm that is being billed as a potential Pegasus alternative, according to trade data reviewed by The Hindu. The firm in question is Cognyte Software Ltd, which faces a class action lawsuit in the U.S. from investors. In 2022, a report from The New York Times shared that the FBI in the U.S. had bought a version of the Pegasus spyware and that Mexican authorities had deployed NSO products against journalists and political dissidents. Similar uses have also been reported in the UAE and Saudi Arabia.
Inconsistencies in democratic governments’ approach in tackling human rights abuses and lack of fragmentations in the regulatory framework are seen as enablers in the use of spyware by authorities. An example of this can be noted in the NSO Group establishing subsidiaries in Bulgaria and Cyprus to facilitate selling their products.
Do spyware firms face backlash?
In 2021, after 16 media outlets formed a consortium known as the Pegasus Project and gained access to a list of fifty thousand phone numbers targeted by the NSO group’s clients, the U.S. blacklisted the NSO Group, driving the firm to the brink of bankruptcy. However, patrons of the surveillance industry turned to other companies in the domain to accomplish their goals, leaving the spyware industry as a whole relatively unscathed.
Even before the Pegasus Project raised an alarm about the use of spyware by government agencies, Germany’s FinFisher and Italy’s Hacking Team were dominant players in the market. Products from both companies were linked to surveillance abuses in a range of countries. Israel is the leading exporter of spyware and digital forensics, but the country has not sufficiently prioritised human rights considerations in its export licensing regime, according to Carnegie.
How have tech companies reacted?
Tech giants including Meta, Google, and Apple have taken concrete steps to address the problem of commercial spyware firms exploiting bugs in their software. In the case of Mr. Eltantawy, Apple and Google updated their software to fix the bugs exploited by Cytrox’s Predator spyware. Apple with its iOS 16 also released a ‘Lockdown Mode’, which the company called an “extreme protection” designed for high-risk individuals. While the Lockdown Mode in Apple’s software limits the device’s functionality, it has proven to be a viable option to protect against spyware attacks.
Meta-owned WhatsApp has gone as far as pursuing a lawsuit accusing Israel’s NSO Group of exploiting a bug in its software. The lawsuit filed in 2019 seeks an injunction and damages from the NSO Group. WhatsApp has alleged that the spyware firm accessed its servers without permission six months prior to installing the Pegasus software on victim’s mobile devices. The current U.S. administration has urged U.S. justices to reject NSO’s appeal against the lawsuit.
- Between May and September, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s Predator spyware sent via links on SMS and WhatsApp. Apple has since released an update for its products fixing the bug used in the attack.
- Spyware is loosely defined as malicious software designed to enter a device, gather sensitive data, and forward it to a third party without the user’s consent.
- Tech giants including Meta, Google, and Apple have taken concrete steps to address the problem of commercial spyware firms exploiting bugs in their software.