Report on Paragon Spyware

Citizen Lab has a new report on Paragon’s spyware:

Key Findings:

  • Introducing Paragon Solutions. Paragon Solutions was founded in Israel in 2019 and sells spyware called Graphite. The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for.
  • Infrastructure Analysis of Paragon Spyware. Based on a tip from a collaborator, we mapped out server infrastructure that we attribute to Paragon’s Graphite spyware tool. We identified a subset of suspected Paragon deployments, including in Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
  • Identifying a Possible Canadian Paragon Customer. Our investigation surfaced potential links between Paragon Solutions and the Canadian Ontario Provincial Police, and found evidence of a growing ecosystem of spyware capability among Ontario-based police services.
  • Helping WhatsApp Catch a Zero-Click. We shared our analysis of Paragon’s infrastructure with Meta, who told us that the details were pivotal to their ongoing investigation into Paragon. WhatsApp discovered and mitigated an active Paragon zero-click exploit, and later notified over 90 individuals who it believed were targeted, including civil society members in Italy.
  • Android Forensic Analysis: Italian Cluster. We forensically analyzed multiple Android phones belonging to Paragon targets in Italy (an acknowledged Paragon user) who were notified by WhatsApp. We found clear indications that spyware had been loaded into WhatsApp, as well as other apps on their devices.
  • A Related Case of iPhone Spyware in Italy. We analyzed the iPhone of an individual who worked closely with confirmed Android Paragon targets. This person received an Apple threat notification in November 2024, but no WhatsApp notification. Our analysis showed an attempt to infect the device with novel spyware in June 2024. We shared details with Apple, who confirmed they had patched the attack in iOS 18.
  • Other Surveillance Tech Deployed Against The Same Italian Cluster. We also note 2024 warnings sent by Meta to several individuals in the same organizational cluster, including a Paragon victim, suggesting the need for further scrutiny into other surveillance technology deployed against these individuals.

Tags: , ,

Posted on March 25, 2025 at 7:05 AM7 Comments

Comments

Clive Robinson March 25, 2025 10:35 AM

@ Bruce, ALL,

With regards the first key point and,

“The company differentiates itself by claiming it has safeguards to prevent the kinds of spyware abuses that NSO Group and other vendors are notorious for.”

If people can think critically will realise there can not be “safeguards to prevent” anything let alone “abuses” when surveillance is involved. Even if surveillance is done on a case by case basis.

Look at it this way for a case by case basis there would have to be an exchange of critical if not secure information. Done in approximately the following way,

1, A 1st party governmental agency approaches,
2, A 2nd Party spyware provider,
3, About putting a 3rd party under surveillance.

4, The 1st party claims the 3rd is a “Person of Interest” to the 2nd party,
5, For some unspecified reason or without verifiable evidence.
6, Expecting the 2nd party to just accept and move forward on the request.

The 5th point can be assumed because if there is “verifiable” evidence the 2nd could “Check and verify”, then the 1st party could pull the 3rd Party in without the need for surveillance etc.

Further the 6th point can likewise be assumed otherwise the 1st party would not have approached the 2nd party in the first place.

From this it can be inferred that any checking the 2nd party could do on a case by case basis would be weak at best. In part because the 1st party would not wish the 3rd party to get “tipped off” and the 2nd party wants to perform paying work to stay in business.

So what actually happens?

Well the article indicates,

“a senior executive at Paragon said the company would only sell to government customers who “abide by international norms and respect fundamental rights and freedoms” and that “authoritarian or non-democratic regimes would never be customers.”

Oh dear what do a government have to do? Pinky swear they are the good guys?

We’ve seen this sort of “self provided character reference” before with Con Artists and all sorts of other criminal types swearing they are upright citizens in good order…

Lets assume though that upto that date and time they were being honest… How long is that going to actually last under “political pressure.

I could go on but I think most understand the assurances are fairly pointless.

Joseph Kanowitz March 25, 2025 12:05 PM

ב”ה,
What’s the dumbest thing happening while the visible top of the US natsec apparatus is all in a sudden hearing today? Will they all come back to their desktop backgrounds changed to a Jerkcity comic?

SW March 25, 2025 2:28 PM

If fifty nitwits at Paragon stealing American technology (israel is amongst China, Russia and France as the parasitic states that steal American tech) and using American money (see Forbes) to create backdoors into Signal, iOS, etc., God help us as to what NSA can do.

None of us is safe.

lastofthev8's March 25, 2025 8:11 PM

The ip’s that were are possible “Paragon deployments, including in Australia” paragraph was kinda here we go! “Ah-Huh” i thought so anyone up for lets connect the dots? Ha! anyone? curiosity kicks in and welp! these ip’s in citizen lab’s article 120.150.253.xxx and 150.207.167.xxx pretty easy to trace i mean masked ip + (.0/24) etc,IP Range: 150.207.0.0 – 150.207.255.255

Netname: VOCUS-AP (Vocus Communications)

external-astra[.]com (Australia)

domain names (external-astra[.]com and internal-Abba[.]com)

could be part of the spyware’s operational infrastructure (e.g., one used for command-and-control or data exfiltration)

lastofthev8's March 25, 2025 8:18 PM

here too so idk there’s allot’a variables here its like who? ,what?,where?,

‘120.150.253.100’ = ‘IP Location

Australia Australia Sydney Telstra Limited

ASN Australia AS1221 ASN-TELSTRA Telstra

ResearcherZero March 29, 2025 12:27 AM

@lastofthev8’s

Optus and TPG/Vodafone also cooperates with police interception and collection. Many of the other providers rely on parts, or the entire Optus, TPG or Telstra network for their service. Mobile phone service equipment may also have intercept hardware installed.

Coverage maps often refer to the percentage of the population covered, rather than the geographic area covered. Collection equipment is widely installed across the networks.

Matt April 15, 2025 7:28 AM

For this report to be of any use we need to know the protocols this spyware is using to communicate, outbound calls, api’s etc

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.