Spyware in India

Apple has warned leaders of the opposition government in India that their phones are being spied on:

Multiple top leaders of India’s opposition parties and several journalists have received a notification from Apple, saying that “Apple believes you are being targeted by state-sponsored attackers who are trying to remotely compromise the iPhone associated with your Apple ID ….”

AccessNow puts this in context:

For India to uphold fundamental rights, authorities must initiate an immediate independent inquiry, implement a ban on the use of rights-abusing commercial spyware, and make a commitment to reform the country’s surveillance laws. These latest warnings build on repeated instances of cyber intrusion and spyware usage, and highlights the surveillance impunity in India that continues to flourish despite the public outcry triggered by the 2019 Pegasus Project revelations.

Posted on November 2, 2023 at 7:07 AM14 Comments


shanks November 2, 2023 8:46 AM

Interesting that you are on the board of Accessnow.

The template of the email seems weird. It’s not apple who seemed to have sent out the email based on the content. And why is accessnow the expert to call instead of Apple’s security/threat team?

This looks a repeat of the pegasus malware case where finally not a single case in India was reported by anyone of interest; as in no one turned in their phone to the Supreme court appointed team for forensics

Clive Robinson November 2, 2023 2:40 PM

Not exactly a surprise that it is going on.

After all the current Prime Minister is all for “Surveillance on the wrong sort of people” (about half the population one way or another).

So changes in the law look unlikely, unless he and those who work for him have an “opt-out”.

But even if it was made illegal in India, other nations will alow if not actively encorage the development of “Spy-Ware” for all sorts of reasons

It’s where you see a form of economic lock-step in action,

1, Demand creates a market.
2, The market creates new demand.
3, The demand creates new products.
4, New products create new demand.

And so on, with at some point a “counter-surveillance” market will form and establish.

Which will result in the same silly game we saw with


With each iteration costing as much as all the previous steps but giving less than 10% improvement in capabilities.

Canis familiaris November 3, 2023 3:32 AM

It looks like web-browsers, in Europe, will soon be enabled for official MITM attacks.


Concretely, the regulation enables each EU member state (and recognised third party countries) to designate cryptographic keys for which trust is mandatory; this trust can only be withdrawn with the government’s permission (Article 45a(4)). This means any EU member state or third party country, acting alone, is capable of intercepting the web traffic of any EU citizen and there is no effective recourse.

Is it a letter Bruce should sign?

ResearcherZero November 3, 2023 5:17 AM


The Supreme court in India has not yet released it’s report.

Forensic tests on various devices by Amnesty International’s Security Lab revealed that some activists and journalists’ phones had the spyware active.

“Of equal importance is how the results the forensic analysis threw up shows sequential correlations between the time and date a phone number is entered in the list and the beginning of surveillance.”

ResearcherZero November 3, 2023 5:44 AM

“I wrote back saying I am unable to open the file completely. The .exe file sent to me was an archive file with one PDF file attached. It had one unsigned warrant with no letterhead and several other files attached did not open.”


“The hackers, according to Arsenal’s report, compromised Swamy’s machine at least three times between 2014 and 2019, installing several different versions of a piece of malware known as NetWire.

Based on artifacts in the computer’s memory and disk storage, Arsenal found that the NetWire malware installed a series of files in a hidden folder on Swamy’s computer, including one that listed weapons possessed by various units of a militant rebel group and another that seemed to suggest kidnapping members of India’s ruling party, the BJP.”

NetWire is a remote access Trojan focused on password stealing and keylogging, as well as including remote control capabilities.

“Just as significant, Arsenal found new signs of the hackers’ attempt to clean up their tampering and cover their tracks just a day before Swamy’s computer was seized in 2019—a suggestion that the digital intruders likely knew the raid and seizure was coming and were cooperating with the Pune police who carried it out.”

Arsenal also found the emails were sent through different email spoofing services.


Over the course of 22 months the attacker not only created a hidden folder in his system, but also created incriminating documents inside that folder. These, it says, were never opened but ended up being used in the case against him and others.

The report says his computer got compromised on June 13, 2016 after a series of “suspicious mails” from “someone using Varavara Rao ’s email account”. Mr. Rao is a co-accused in the case. This person is said to have made repeated attempts to get Mr. Wilson to open a document, which he finally did. This was a bait, and it triggered the installation of the NetWire remote access trojan on his computer. The bait was delivered via an RAR file, which usually contains one or many files in a compressed format. The report says while “Mr. Wilson thought he was opening a link to Dropbox” in the email sent to him, he was actually opening a link to “a malicious command and control server”.


ResearcherZero November 3, 2023 6:02 AM

Spearphishing Emails, IoCs and Infrastructure

“The letters were created using a newer version of Microsoft Word that did not exist on Wilson’s computer, the report said.”

The same attacker deployed some of the same servers and IP addresses to target Wilson’s co-defendants in the case over a period of four years, the report said, based on a review of forensic images related to those individuals.

Three outside experts who reviewed the document at The Post’s request said the report’s conclusions were valid.


iAPX November 3, 2023 7:13 AM

@Canis Familiaris, All

I joked about the laws against encrypted exchanges, “they might make https illegal!”.
I couldn’t think a second they will effectively destroy all encryption including security and privacy on the Web.

That’s foolish! Total madness!

It took decades to have (not so) secure enough technologies and communications, and now this will be corrupt at the root.
And we all knows that if a master key exists, it will be stolen, or a derived key, and used for wrong and evil purposes.

There’s also the possibility to fool a browser into thinking it’s on UE for non-UE users to then be able to do MITM interception of its traffic.

PaulBart November 3, 2023 8:12 AM

I am so glad my Western government is up and up. Definitely no election fraud in 2020. No sirree.

PaulBart November 3, 2023 8:18 AM

@“compromised Swamy’s machine at least three times between 2014 and 2019, installing several different versions of a piece of malware known as NetWire.”

Wonder how often state actors, foreign and domestic, install onto politicians, both foreign and domestic, other types of data(classified files) and content(child porn), or pull said files from politicians devices.

Wikileaks and Assange showed everyone that their leaders and their bureaucrats are anything but trustworthy.

Whom and what to accept as truth?

Winter November 3, 2023 8:32 AM


I am so glad my Western government is up and up. Definitely no election fraud in 2020. No sirree.

You want to suggest that the ruling Republican government, President&Senate, as well as the majority of the state legislatures (Republican Governors and state congress), did commit fraud during the 2020 elections?

I do remember some things about Republican politicians being in court accused of involvement with election interference.

Clive Robinson November 3, 2023 9:48 AM

@ iAPX, ALL,

Re : History over hope.

“I couldn’t think a second they will effectively destroy all encryption including security and privacy on the Web.”

We have fought multiple battles over the use of codes and ciphers to protect our societaly necessary civil privacy and security against crime. And though we have won some, we fail to adiquately secure the gains made, thus the tide of war flows against society as despots and tyrants push on.

From millennium of experience of Kings, Might is Right, and similar abuse, from brigands, tyrants and dictorial despots we have a cautionary saying,

“Power corrupts; absolute power corrupts absolutely.”

And we can not say we were not warned,

“The price of liberty; is Eternal vigilance.”

And also the most likely concequences,

“The tree of liberty must be refreshed from time to time with the blood of patriots and tyrants alike. It is it’s natural manure.”

Because as a society we do not want to take responsability, and nearly all dislike the rote learning of the oft given dry facts of the past. Thus we fail to heed,

“Those who fail to learn from history are condemned to repeat it.”

Thus it would appear that we as society are condemed by our own failure, and to redress the failing, take up arms against those who have abused us for their own self entitlement…

ResearcherZero November 7, 2023 10:18 PM


Don’t worry, they get targeted also if they are found to have child porn, or kidnap/rape young women etc…

Are people in general trustworthy? Not always. Look how busy the family courts are.

ResearcherZero November 8, 2023 12:51 AM


State actors are generally interested in stealing state secrets and information. Military designs for example, or movements and locations of assets, intellectual property.

But as to your question of verifying the truth. It can be determined if files on a system have been planted or modified using forensic imaging and analysis methods. Forensic auditing can be carried out by an independent auditor, then verified by other independent experts.

Using indicators of compromise, you can also establish evidence of the identity, technique and infrastructure of a remote attacker. Physical attacks also leaves evidence.

You can tell, even if it has been done by a skilled adversary who employs techniques such as time-stomping and log manipulation. There are many methods to cross check and verify file access, and any such deliberate efforts can provide further evidence of deliberate manipulation. Over time a better picture of the adversary emerges.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.