WhatsApp has confirmed that Israeli spyware Pegasus has been used to surveil human rights activists, journalists and lawyers in India through their smartphones. “Indian users were among those contacted by us this week,” a WhatsApp spokesperson told The Citizen.

“We sent a special WhatsApp message to approximately 1,400 users that we have reason to believe were impacted by this attack to directly inform them about what happened,” the spokesperson said. WhatsApp became aware of the attack in May 2019 and has attributed it to NSO Group and its parent company Q Cyber Technologies. They have also filed a lawsuit against NSO Group in U.S. Court on 29 October, under the U.S. Computer Fraud and Abuse Act.

NSO Group, in a statement, denied the allegations. The statement read, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. Our technology is not designed or licensed for use against human rights activists and journalists.” NSO further stated that the group has licenses their product, Pegasus only to “legitimate” government agencies.

Here are the key takeaways from the case:

1. Who has been affected? WhatsApp stated that the attack has targeted “at least 100 members of civil society, which is an unmistakable pattern of abuse.” They believe this number could grow as other victims come forward. Indian journalists, lawyers and human rights activists were among the 1,400 individuals contacted by WhatsApp regarding the cyber breach.

2. How was Pegasus used to surveil civil society members? WhatsApp claims they stopped a “highly sophisticated cyber attack” earlier this year. The attack used WhatsApp’s video calling feature to send malware to the targeted device. A missed call was all that was required to install spyware onto the phone. “After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call,” stated Will Cathcart, Head of WhatsApp, in an opinion article published in The Washington Post.

The University of Toronto’s The Citizen Lab, an academic research group analysed the cyber attack. According to their research, once the spyware known as Pegasus is installed, it can be used to send data from the targeted device—including passwords, calendar events, text messages, contact lists and even live voice calls from mobile messaging apps—to the operator. The spyware can be used to track the individual’s location and can also turn on the phone’s camera and microphone to record any activity nearby.

WhatsApp offers “end-to-end encryption” that uses digital locks such that only the sender and recipient of messages and calls have the key to view the same. As per the company’s spokesperson, “This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones.”

3. How was NSO involved? Cathcart mentions that WhatsApp was certain of the Israeli technology company’s involvement as the operators “used servers and Internet-hosting services that were previously associated with NSO.” They have also linked certain WhatsApp accounts used during the cyber attack to NSO.

NSO stated that the Group has sold Pegasus only to “vetted and legitimate government agencies.” The NSO website claims their products are used to help “licensed government intelligence and law-enforcement agencies lawfully address issues in today’s world” such as terrorism, criminal operations, finding missing persons and assisting search and rescue teams.

Contrary to NSO’s claims, The Citizen Lab stated, “As it stands, NSO Group and other spyware companies are equipping repressive governments with powerful tools to spy on those who hold them to account. With powerful surveillance technology such as this roaming free, there is nowhere to hide and no one will be safe from those who wish to cause harm.”

The recent WhatsApp suit against NSO is one in a slew of other suits filed against the group for helping governments spy on individual’s smartphones across countries including Israel and Mexico. NSO has previously come under the scanner when a lawsuit was filed against the company for helping the Kingdom of Saudi Arabia spy on an individual’s communications with murdered journalist Jamal Khashoggi, which were allegedly used to track Khashoggi.

4. What actions are being taken by WhatsApp? Post becoming aware of the attacks in May, WhatsApp stated they have added new system protections and issued an application update. “We are committed to doing all we can, working with industry partners, to protect our users and guard against these kinds of threats,” stated a WhatsApp spokesperson.

WhatsApp is seeking a permanent injunction banning NSO from using the app’s services. The complaint against NSO in U.S. Court alleges that the technology Group violated both U.S. and California laws along with WhatsApp Terms of Service. “This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users. In our complaint we explain how NSO carried out this attack, including acknowledgement from an NSO employee that our steps to remediate the attack were effective,” stated the company’s spokesperson.