Rights activists, journalists and lawyers around the world have been targeted with phone malware sold to authoritarian governments by an Israeli surveillance firm, media reports say.
They are on a list of up to 50,000 phone numbers of people believed to be of interest to clients of the company, NSO, leaked to major news outlets.
It is not clear where the list came from – or whose phones had actually been hacked.
NSO denies any wrongdoing.
It says the software is intended for use against criminals and terrorists and is made available only to military, law enforcement and intelligence agencies from countries with good human rights records.
In a statement, it said the original investigation which led to the reports, by Paris-based NGO Forbidden Stories and the human rights group Amnesty International, was “full of wrong assumptions and uncorroborated theories”.
‘I was a victim of the WhatsApp hack’
Stalking software is ‘on the rise’
The allegations about use of the software, known as Pegasus, were carried on Sunday by the Washington Post, the Guardian, Le Monde and 14 other media organisations around the world.
Pegasus infects iPhones and Android devices to enable operators to extract messages, photos and emails, record calls and secretly activate microphones.
Forensic tests on a few phones with numbers on the list indicated more than half had traces of the spyware.
Some 180 journalists are said to be on the list, from organisations such as Agence France-Presse, CNN, the New York Times, Al Jazeera and many other news outlets.
They also include two women close to the murdered Saudi journalist Jamal Khashoggi and a Mexican journalist named Cecilio Pineda Birto, who was murdered at a carwash.
The wider list also includes heads of state and government, members of Arab royal families and business executives.
The allegations here are not new but what is new is the scale of the targeting of innocent people that’s allegedly taking place. Nearly 200 reporters from 21 countries have their phone numbers on this list and more names of high-profile public figures are expected to be revealed.
There are plenty of unknowns in these allegations – including where the list comes from and how many of the phone numbers were actively targeted with spyware. NSO Group have once again come out swinging and deny all accusations but it’s a blow for the company that is actively trying to reform its reputation.
Only two weeks ago they released their first “transparency report” detailing human right policies and pledges. Amnesty International brushed the 32-page document off as a “sales brochure”.
These latest allegations will do further damage to its image, but they won’t hurt the company financially. There are very few private companies able to produce the sort of invasive spy tools that NSO sells, and clearly the largely unregulated market for the software is booming.
Presentational grey line
More details about who has been targeted are expected to be released in the coming days.
WhatsApp sued NSO in 2019, alleging the company was behind cyber-attacks on 1,400 mobile phones involving Pegasus.
At the time, NSO denied any wrongdoing, but the company has been banned from using WhatsApp.