WhatsApp has discovered an Israeli spyware vendor targeting 90 users by sharing malicious PDFs that can infect a phone.
The PDFs can plant the spyware without any user interaction. WhatsApp spotted the threat last month and has since plugged the vulnerability behind the so-called “zero click” attack.
Although details are thin, WhatsApp’s investigation traced the attack to Paragon Solutions, an Israeli surveillance company that recently received a $2 million contract from US Immigration and Customs Enforcement. In this case, some of the spyware’s targets included journalists and members of civil society, the Meta-owned messaging app told PCMag. The victims were also based in over two dozen countries, including those in Europe.
“We’ve reached out directly to people who we believe were affected,” WhatsApp added. “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect peoples’ ability to communicate privately.”
The attack took advantage of a default WhatsApp feature that lets unknown contacts add you to a random WhatsApp group. Allegedly, Paragon delivered the attack by first adding the targeted user to a WhatsApp group before then sharing the malicious PDF.
WhatsApp says the spyware’s capabilities included siphoning user messages and other data stored on the device. Paragon’s flagship product, Graphite, is also known to specifically target encrypted messaging apps with the ability to harvest data from cloud backups.
The attack underscores the unsettling business of commercial spyware vendors, which often contract with government agencies in the name of security and counter-terrorism. Paragon’s own website says it “provides our customers with ethically based tools, teams, and insights to disrupt intractable threats.”
Recommended by Our Editors
But in the past, spyware attacks from other providers have been found snooping on phones belonging to politicians, government staffers, and human rights activists. Paragon may have also been sold to a US investment firm called AE Industrial Partners, which has raised further fears that the company’s technology could be used to spy on phones in the US.
WhatsApp has updated its servers to protect from the attack. Still, users should consider changing their privacy settings so that only known contacts can add them to WhatsApp groups. The messaging app also posted a dedicated support article on how it’s been protecting users from spyware.
Paragon didn’t immediately respond to a request for comment. In the meantime, WhatsApp says it sent a cease-and-desist letter to the company.
Like What You’re Reading?
This newsletter may contain advertising, deals, or affiliate links.
By clicking the button, you confirm you are 16+ and agree to our
Terms of Use and
Privacy Policy.
You may unsubscribe from the newsletters at any time.
About Michael Kan
Senior Reporter
