Elyse Betters Picaro / ZDNET
Over the past decade, spyware tools have been repeatedly found on the phones of journalists, activists, and politicians. This has raised concerns about the unprecedented proliferation of spyware technologies and the lack of protections within the tech sector.
Also: Got a suspicious E-ZPass text? Don’t click the link (and what to do if you already did)
Meta’s WhatsApp recently revealed it discovered a hacking campaign targeting about 90 users — mostly journalists and civil society members across two dozen countries. According to a WhatsApp spokesperson, the Israeli spyware company Paragon Solutions — now acquired by Florida-based private equity firm AE Industrial Partners — was behind the attack.
Graphite, Paragon’s spyware, was found to have infiltrated WhatsApp groups by simply sending users a malicious PDF attachment. Without users’ knowledge, it can access and read messages on encrypted applications like WhatsApp and Signal.
What is a zero-click capability?
What happened to WhatsApp was a zero-click attack, meaning targets don’t have to take any action for their devices to be compromised. In contrast, phishing or one-click attacks require user interaction with a malicious link or attachment. Once a phone is infected with a zero-click capability, the attacker can quietly gain complete access by exploiting a security vulnerability.
In an interview with ZDNET, Rocky Cole, co-founder of mobile threat protection company iVerify, said that “in the case of graphite, via WhatsApp, some kind of payload, like a PDF or an image, [was sent to the victims’ devices] and the underlying processes that receive and handle those packages have vulnerabilities that the attackers exploit [to] infect the phone.”
Also: 7 simple things I always do on Android to protect my privacy – and why you should too
While public reporting does not specify “whether graphite can engage in privilege escalation [vulnerability] and operate outside WhatsApp or even move into the iOS kernel itself, we do know from our own detections and other work with customers, that privilege escalation via WhatsApp in order to gain kernel access is indeed possible,” Cole said.
iVerify has uncovered instances where “a number of WhatsApp crashes on [mobile] devices [they’re] monitoring with iVerify” have appeared to be malicious in nature, leading the iVerify team to believe that the malicious attacks are “potentially more widespread” than just the 90 people reported to have been infected by graphite.
While the WhatsApp attack was predominantly launched against members of civil society, mobile spyware is an emerging threat against everyone because mobile exploitation is more widespread than one might think, Cole said. Moreover, “the result is an emerging ecosystem around mobile spyware development and an increasing number of VC-backed mobile spyware companies are ‘under pressure to become profitable enterprises,'” he said.
This ultimately “creates marketing competition” for spyware merchants and “lowers barriers” that would deter these mobile exploitation attacks.
Also: I clicked on four sneaky online scams on purpose – to show you how they work
Earlier this year, WhatsApp won a lawsuit against NSO after a federal judge in California found that NSO was exploiting a security vulnerability within the messaging app to deliver Pegasus. The infamous NSO Group — known for infecting the phones of journalists, activists, and Palestinian rights organizations — has used similar zero-click capabilities through its Israeli-made Pegasus spyware, a commercial spyware and phone-hacking tool.
Historically, the NSO Group has avoided selling to US-based clients and has also been banned by the US Commerce Department under former President Joe Biden’s administration for allegedly supplying spyware to authoritarian governments. However, “shifting political dynamics [under the Trump administration] raises the possibility that spyware may become more prevalent in the United States” — exacerbating mobile exploitation.
Cole said the world is totally unprepared to deal with that.
Best practices for protecting your device
Cole advises people to treat their phone like a computer. This means that just as one would apply “a body of best practices that exist to protect traditional endpoints like laptops, from exploitation and compromise — those same standards and practices should just be applied to phones.” This includes rebooting your phone daily because “a lot of these exploits exist in memory only. They’re not files, and if you reboot your phone, in theory, you should be able to wipe the malware as well,” he said.
Also: Why you should power off your phone once a week — according to the NSA
However, Cole notes that if it’s a zero-click capability like Graphite or Pegasus, you can be easily reinfected. That’s why he recommends using a mobile security tool to know if you’ve been targeted. The iVerify mobile threat scanner for advanced mobile compromise costs just $1 and is easy to use. To learn how to download and test the app for yourself, see our guide on how to detect infamous NSO spyware on your phone.
Also: 7 ways to lock down your phone’s security – before it’s too late
You can also try Lockdown Mode if you’re using an Apple device. According to Cole, “lockdown mode has the effect of reducing some functionality of internet-facing applications [which can] in some ways reduce the attack surface to some degree.”
The only way to truly defend yourself against zero-click capabilities is to fix the underlying vulnerabilities. As Cole emphasized, this means only Apple, Google, and the app developers can do that, “so as an end user, it’s critically important that when a new security patch is available, you apply it as soon as you possibly can.”
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
