Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named Graphite, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their investigation reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information zero-click exploits mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

Graphite Spyware Servers Worldwide

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the NSO Group.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

  • Italy
  • Israel
  • Canada
  • Cyprus
  • Denmark
  • Australia
  • Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially denied any involvement but later acknowledged having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently notified the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

WhatsApp Attacks Persist Despite NSO Group Lawsuit Win

Hackread.com earlier reported that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop reported in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and human rights.




Source link