WhatsApp boss says Pegasus spyware is internet’s ‘wake up call’ and Apple not doing ‘enough’ to secure iPhones

‘Mobile phones are either safe for everyone or they are not safe for everyone’, Will Cathcart added

Adam Smith
Monday 26 July 2021 13:38
comments
Leer en Español

Senior government officials and “allies of the US” were targeted by the spyware from the surveillance software developer NSO Group, according to the head of encrypted messaging app WhatsApp.

Will Cathcart, who became the head of the Facebook-owned app in 2019, said that in the same year 1,400 WhatsApp users were targeted by governments using software from NSO Group.

Last week, it was reported that military-grade spyware ‘Pegasus’ from NSO Group infiltrated the smartphones of journalists, politicians, and human rights activists, according to an investigation by 17 media organisations and Amnesty International.

Mr Cathcart said that the recent attack reported in the media was similar to the attack against WhatsApp users two years ago. That attack is now the subject of a lawsuit brought by WhatsApp against NSO Group.

“The reporting matches what we saw in the attack we defeated two years ago, it is very consistent with what we were loud about then,” Mr Cathcart told The Guardian.

“This should be a wake up call for security on the internet … mobile phones are either safe for everyone or they are not safe for everyone.”

Over 50,000 phone numbers were on a list of people believed to be of interest of NSO Group clients, although the spyware manufacturer says the number is too large to represent individuals targeted by Pegasus. NSO Group has repeatedly claimed reporting of the Pegasus project is “full of wrong assumptions and uncorroborated theories”, saying the figures reported are too large.

However, Mr Cathcart said that the claim “tells us that over a longer period of time, over a multi-year period of time, the numbers of people being attacked are very high,” he said. “That’s why we felt it was so important to raise the concern around this.”

WhatsApp’s claims mean the messaging giant has evidence that an NSO Group server attempted to install malicious software on a user device.

Mr Cathcart also implied that iPhone manufacturer Apple had not been as vocal about the dangers of malware, praising Microsoft and Google’s statements about “the perils of giving spyware firms like NSO immunity” on Twitter.

“I hope that Apple will start taking that approach too. Be loud, join in. It’s not enough to say, most of our users don’t need to worry about this. It’s not enough to say ‘oh this is only thousands or tens of thousands of victims’,” he told The Guardian.

“If this is affecting journalists all around the world, this is affecting human rights defenders all around the world, that affects us all. And if anyone’s phone is not secured that means everyone’s phone is not secure.”

Apple declined to comment on Mr Cathcart’s statement. WhatsApp declined to comment further when asked by The Independent.

NSO Group did not respond to a request for comment from The Independent before time of publication, but told The Guardian: “We are doing our best to help creating a safer world. Does Mr Cathcart have other alternatives that enable law enforcement and intelligence agencies to legally detect and prevent malicious acts of pedophiles, terrorists and criminals using end-to-end encryption platforms? If so, we would be happy to hear.”

WhatsApp does, in fact, have systems in place for law enforcement to detect malicious acts using end-to-end encrypted platforms. This is done through metadata – information created by sending messages but does not include the content of the message – such as IP address, message frequency, name and profile photo.

Machine learning algorithms then detect abnormal behaviour, such as messages exchanged with accounts known for sharing child sexual abuse material.

While such information is helpful to law enforcement, if such data fell into the wrong hands it could be used for nefarious purposes – as even an IP address can be used as a gateway to more precious personal data, such as a user’s name or location. This is why some privacy advocates, such as Edward Snowden, prefer to use Signal, which collects significantly less data on the user.

Join our new commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

View comments