Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely customers of spyware developed by Israeli company Paragon Solutions, according to a new report from The Citizen Lab.
Paragon, founded in 2019 by Ehud Barak and Ehud Schneorson, is the maker of a surveillance tool called Graphite that’s capable of harvesting sensitive data from instant messaging applications on a device.
The interdisciplinary lab said it identified the six governments as “suspected Paragon deployments” after mapping the server infrastructure suspected to be associated with the spyware.
The development comes nearly two months after Meta-owned WhatsApp said it notified around 90 journalists and civil society members that it said were targeted by Graphite. The attacks were disrupted in December 2024.
Targets of these attacks included individuals spread across over two dozen countries, including several in Europe such as Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden.
“This is the latest example of why spyware companies must be held accountable for their unlawful actions,” a WhatsApp spokesperson told The Hacker News at that time. “WhatsApp will continue to protect peoples’ ability to communicate privately.”
In these attacks, targets were added to a WhatsApp group, and then sent a PDF document, which is subsequently parsed automatically to trigger the now-patched zero-day vulnerability and load the Graphite spyware. The final stage entails escaping the Android sandbox to compromise other apps on the targeted devices.
Further investigation of hacked Android devices has uncovered a forensic artifact dubbed BIGPRETZEL that is suspected to uniquely identify infections with Paragon’ Graphite spyware.
Evidence has also found evidence of a likely Paragon infection targeting an iPhone belonging to an Italy-based founder of the organization Refugees in Libya in June 2024. Apple has since addressed the attack vector with the release of iOS 18.
“Mercenary spyware attacks like this one are extremely sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals because of who they are or what they do,” Apple said in a statement.
“After detecting the attacks in question, our security teams rapidly developed and deployed a fix in the initial release of iOS 18 to protect iPhone users, and sent Apple threat notifications to inform and assist users who may have been individually targeted.”
