A single fake image file mistakenly left on an activist’s iPhone initiated a scandal over NSO Group’s Pegasus spyware, a new report says. The exposure resulted in an international outcry over privacy.
A July report exposed that authoritarian governments are using phone spyware made by Israeli surveillance group NSO Group to target journalists, human rights activists, and lawyers around the globe.
An investigation by 17 media organizations and Amnesty International’s Security Lab uncovered a massive data leak, which indicated a widespread abuse of NSO’s commercial hacking spyware, Pegasus, which can be used to infect iPhones and Android devices, allowing attackers to extract messages, emails, and media, and record calls and to secretly activate microphones on the devices.
The entire scandal was exposed, thanks to a fake image file discovered earlier that year.
While Pegasus can be made to hide all traces of its existence on a target’s iPhone after offloading user data to its controller, a slip up resulted in a single fake image file being left on Saudi Arabia activist Loujain al-Hathloul’s iPhone, reports Reuters.
Soon after her release from jail, the activist received an email from Google warning her that state-backed hackers had tried to penetrate her Gmail account. Fearful that her iPhone had been hacked as well, al-Hathloul contacted the Canadian privacy rights group Citizen Lab and asked them to probe her device for evidence, three people close to al-Hathloul told Reuters.
After six months of digging through her iPhone records, Citizen Lab researcher Bill Marczak made what he described as an unprecedented discovery: a malfunction in the surveillance software implanted on her phone had left a copy of the malicious image file, rather than deleting itself, after stealing the messages of its target.
“It was a game-changer,” said Citizen Lab researcher Bill Marczak. “We caught something that the company thought was uncatchable.”
The file was used to determine a blueprint for hacks using Pegasus. This allowed Apple to notify thousands of potential victims about the intrusion, sources familiar with the incident advised. Apple was also able to use it in creating and releasing an update to fix vulnerabilities Pegasus used, and later to launch a lawsuit against NSO itself.