In a recent revelation by cybersecurity researchers at the Citizen Lab at the University of Toronto, a sophisticated spyware called ‘Graphite’ has been exposed. This spyware, developed by the Israeli firm Paragon Solutions, has been utilized to target high-profile individuals through the popular messaging platform WhatsApp.
The investigation conducted by Citizen Lab uncovered a previously unknown zero-day vulnerability in WhatsApp’s software, which allowed the spyware to be installed on devices through a zero-click exploit. This exploit enabled adversaries to gain unauthorized access to the targeted phones without any action required from the user.
Zero-click exploits are particularly dangerous as they allow devices to be compromised without the user interacting with any malicious links, files, or other content.
Paragon Solutions, founded in 2019 by prominent figures including former Israeli Prime Minister Ehud Barak, claims to uphold ethical standards in contrast to other spyware vendors like the NSO Group. However, Citizen Lab’s researchers mapped out servers associated with Graphite and identified suspected deployments targeting journalists, human rights activists, and government critics in various countries, including Italy, Israel, Canada, Cyprus, Denmark, Australia, and Singapore.
Meta, the parent company of WhatsApp, confirmed that approximately 90 users in 24 countries were targeted. Of particular interest in the investigation was the Ontario Provincial Police (OPP) in Canada, where the researchers discovered connections between Paragon and the OPP, suggesting systematic use of spyware capabilities within Ontario-based police services.
The investigation also delved into individuals targeted in Italy, including journalist Francesco Cancellato and the founders of Mediterranea Saving Humans, Luca Casarini, and Dr. Giuseppe Caccia. Forensic analysis of their Android devices revealed clear evidence of the Graphite spyware, with a unique artifact named BIGPRETZEL confirming the presence of Paragon’s spyware. The Italian government initially denied involvement but later acknowledged contractual agreements with Paragon.
Additionally, the investigation extended to an iPhone belonging to David Yambio, an associate of confirmed Paragon targets. Apple threat notifications received by Yambio indicated an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.
In response to Citizen Lab’s findings, Meta, Apple, and Google collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps, while Apple released a patch for its iOS operating system to protect iPhone users. WhatsApp also notified targeted users directly of potential threats.
Despite a previous lawsuit against the NSO Group for compromising WhatsApp accounts, the findings from Citizen Lab indicate that Israeli spyware firms continue to focus on exploiting WhatsApp vulnerabilities for spyware deployment. This ongoing struggle highlights the importance of continuous caution, stricter security measures, and legal accountability within the spyware industry to safeguard digital privacy and human rights in the face of evolving threats.