Powerful ‘Trojan horse’ spyware found on Downing Street phone, security researchers say

Sign up for the View from Westminster email for expert analysis straight to your inbox

Get our free View from Westminster email

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Powerful spyware used by hackers to snoop on communications and steal data has been found on a device at Downing Street, researchers have said.

Specialists at the University of Toronto’s Citizen Lab said the notorious “Pegasus” Trojan horse appears to have been used to target both the prime minister’s office and the Foreign Office (FCDO).

The researchers said they had identified “multiple suspected instances of Pegasus spyware infections” on devices used by UK government officials.

Several No 10 mobile phones, including Boris Johnson’s, were tested after the 2020 breach – but UK officials were apparently unable to locate the infected device nor the nature of any stolen data.

The researchers believe the cyberattack targeting Boris Johnson’s office came from the United Arab Emirates (UAE) – while the identified FCDO infections appear to be linked to Pegasus “operators” in the UAE, India, Cyprus, and Jordan.

Ron Deibert, director of the Citizen Lab and Professor of Political Science at the University of Toronto’s Munk School of Global Affairs and Public Policy said: “During the course of our investigations into mercenary spyware, we will occasionally observe cases where we suspect that governments are using spyware to undertake international espionage against other governments.

“The vast majority of these cases are outside of our scope and mission. However, in certain select cases, where appropriate and while preserving our independence, we decide to notify these governments through the official channels, especially if we believe that our actions can reduce harm.

“We confirm that in 2020 and 2021 we observed and notified the government of the United Kingdom of multiple suspected instances of Pegasus spyware infections within official UK networks.”

Approached for comment by The Independent on the matter, a government spokesperson said: “We do not comment on security matters.”

The claims were first revealed in The New Yorker magazine. John Scott-Railton, a senior researcher at the Citizen Lab told the outlet: “When we found the No 10 case, my jaw dropped.”

Once the software, which was developed by Israeli company NSO Group, finds its way onto a person’s device it can copy messages, harvest photos, record phone calls, and even secretly film the user through the phone’s camera.

Real world conversations can be secretly recorded by switching on a phone’s microphone. Both Android and iOS devices are vulnerable to the technology. Pegasus was first identified in 2016 after a botched installation attempt against an Emirati human rights activist.

Boris Johnson visited the UAE in March in a bid to boost trade ties with the country and persuade the Gulf state to incease oil and gas production in light of the Russian invasion of Ukraine.

The prime minister has previously been criticised for taking a lax approach to his personal data security after it emerged that he had not changed his phone number for years and that it was readily available online. Pegasus and other spyware can be installed on devices through sending a text message to a user, sometimes exploiting loopholes that do not even require a user to click a link.