The beleaguered Israeli surveillanceware vendor NSO Group this week admitted to the European Union lawmakers that its Pegasus tool was used by at least five countries in the region.
“We’re trying to do the right thing and that’s more than other companies working in the industry,” Chaim Gelfand, the company’s general counsel and chief compliance officer, said, according to a report from Politico.
Acknowledging that it had “made mistakes,” the company also stressed on the need for an international standard to regulate the government use of spyware.
The disclosure comes as a special inquiry committee was launched in April 2022 to investigate alleged breaches of E.U. law following revelations that the company’s Pegasus spyware is being used to snoop on phones belonging to politicians, diplomats, and civil society members.
“The committee is going to look into existing national laws regulating surveillance, and whether Pegasus spyware was used for political purposes against, for example, journalists, politicians and lawyers,” the European Parliament said in March 2022.
Earlier this February, the European Data Protection Supervisor (EDPS) called for a ban on the development and the use of commercial spyware in the region, stating that the technology’s “unprecedented level of intrusiveness” could endanger users’ right to privacy.
Pegasus, and its other counterparts like FinFisher and Cytrox, are designed to be stealthily installed on a smartphone by exploiting unknown vulnerabilities in software known as zero-days to seize remote control of the device and harvest sensitive data.
Infections are typically achieved by means of one-click attacks wherein targets are tricked into clicking on a link sent via messages on iMessage or WhatsApp, or alternatively using zero-click exploits that require no interaction.
Once installed, the spyware provides support for a broad range of capabilities that allows the operator to track the victim’s whereabouts, eavesdrop on conversations, and exfiltrate messages from even encrypted apps like WhatsApp.
NSO Group, founded in 2010, has long maintained it only supplies the software to government customers for what it says is to tackle terrorism, drug trafficking, and serious crime, but evidence has shown widespread misuse of the software to keep tabs on political opponents, critics, activists, journalists, lawyers across the world.
“The use of Pegasus does not require cooperation with telecommunication companies, and it can easily overcome encryption, SSL, proprietary protocols, and any hurdle introduced by the complex communications worldwide,” the Council of Europe noted in an interim report.
“It provides remote, covert, and unlimited access to the target’s mobile devices. This Modus Operandi of the Pegasus clearly reveals its capacity to be used for targeted as well as indiscriminate surveillance.”