WhatsApp has revealed that nearly 100 journalists and civil society members were targeted using spyware developed by the Israeli firm Paragon Solutions. The attack, which likely compromised the devices of some victims, was identified and disrupted in December 2024. While the perpetrators remain unknown, WhatsApp has sent a cease-and-desist letter to Paragon and is exploring legal action.
The discovery was made through internal investigations at WhatsApp, aided by researchers from Citizen Lab at the University of Toronto. According to WhatsApp’s comments to The Guardian, the attack exploited a zero-click vulnerability, meaning victims did not need to interact with malicious content for their devices to be infected. The spyware was likely delivered through a malicious PDF file sent to individuals who were added to WhatsApp group chats.
Paragon Solutions, an Israeli cybersecurity firm, specializes in surveillance software for government clients. Its flagship spyware, Graphite, operates similarly to NSO Group’s Pegasus, allowing complete control over an infected device, including access to encrypted messages on apps like WhatsApp and Signal. Paragon has claimed that it only works with democratic governments and does not sell to nations with histories of spyware abuse, such as Greece, Poland, Hungary, Mexico, and India. However, this incident marks the first public disclosure of Paragon’s spyware being linked to unlawful surveillance.
Unverified claims surfaced online with more details about the recent WhatsApp hacks and how they work. Reportedly, Paragon’s hacking method differs from typical offensive cyber tools as it does not install spyware on the target’s device. Instead, it exploits vulnerabilities in instant messaging apps like WhatsApp, Telegram, and Signal by breaching the device and stealing unique identification tokens—essentially the equivalent of a username and password.
With these stolen identifiers, Paragon manipulates weaknesses in WhatsApp’s main servers to impersonate the device, allowing its software, Graphite, to intercept and access all incoming messages without the user’s knowledge. This approach enables remote surveillance without requiring direct installation on the device, relying solely on server-side exploitation. Believing this method made detection nearly impossible, Paragon was eventually exposed, revealing a sophisticated yet unoriginal technique—one reportedly taken directly from Israel’s Unit 8200, along with some of its top cyber experts.
In October 2024, Wired reported that Paragon had a $2 million contract with the U.S. Immigration and Customs Enforcement (ICE), which was later halted pending compliance review with a Biden-era executive order restricting spyware use by federal agencies. Despite the Trump administration’s revocation of numerous Biden orders, this restriction remains in effect.
Paragon was recently acquired by the U.S. investment firm AE Industrial Partners for an estimated $500–900 million. However, Israeli regulatory authorities have yet to approve the sale due to strict cyberweapon export controls.
This revelation follows WhatsApp’s landmark legal victory against NSO Group in December 2024. A California judge ruled that NSO was liable for infecting 1,400 WhatsApp users with Pegasus spyware in 2019, violating U.S. hacking laws and WhatsApp’s terms of service. This latest case underscores the ongoing risks posed by commercial spyware companies.
Measures for WhatsApp users
While zero-click exploits are challenging to defend against, users can take the following precautions to minimize risk:
- Keep WhatsApp updated to ensure the latest security patches are applied.
- Be cautious of unexpected group invitations, especially from unknown contacts.
- Enable two-step verification to add an extra layer of security.
- Regularly check for unusual activity, such as excessive battery drain or high data usage, which may indicate spyware infection.
- Use threat detection tools from cybersecurity organizations like Citizen Lab or Amnesty International.
WhatsApp has begun notifying affected users and reaffirmed its commitment to preventing spyware abuse on its platform.
Leave a Reply