An Israeli firm accused of supplying spyware to governments has been linked to a list of tens of thousands of smartphone numbers, including those of activists, journalists, business executives and politicians around the world, according to reports.
The NSO Group and its Pegasus malware — capable of switching on a phone’s camera or microphone, and harvesting its data — have been in the headlines since 2016.
Sunday’s revelations — part of a collaborative investigation by The Washington Post, The Guardian, Le Monde and other media outlets — raise privacy concerns and reveal the far-reaching extent to which the private firm’s software could be misused.
The leak consists of more than 50,000 smartphone numbers believed to have been identified as connected to people of interest by NSO clients since 2016, the news organisations said, although it was unclear how many devices were actually targeted or surveilled. NSO has denied any wrongdoing, labelling the allegations “false”.
On the list were 15,000 numbers in Mexico — among them reportedly a number linked to a murdered reporter — and 300 in India, including politicians and prominent journalists. Last week, the Indian government — which in 2019 denied using the malware to spy on its citizens, following a lawsuit — reiterated that “allegations regarding government surveillance on specific people has no concrete basis or truth associated with it whatsoever”.
The Post said a forensic analysis of 37 of the smartphones on the list showed there had been “attempted and successful” hacks of the devices.
Among the numbers on the list are those of journalists for AFP, The Wall Street Journal, CNN, The New York Times, Al Jazeera, El Pais, the Associated Press, Le Monde, Bloomberg, The Economist, and Reuters, The Guardian said.
The use of the Pegasus software to hack the phones of Al Jazeera reporters and a Moroccan journalist has been reported previously by Citizen Lab, a research centre at the University of Toronto, and Amnesty International.
Forbidden Stories, a Paris-based journalism non-profit, and Amnesty originally shared the leak with the newspapers.
The Post said the numbers on the list were unattributed, but other media outlets participating in the project were able to identify more than 1,000 people in more than 50 countries.
Pegasus is a highly invasive tool that can switch on a target’s phone camera and microphone, as well as access data on the device, effectively turning a phone into a pocket spy. In some cases, it can be installed without the need to trick a user into initiating a download.— AFP