Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware

This is yet another story of commercial spyware being used against journalists and civil society members.

The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised.”

It is not clear who was behind the attack. Like other spyware makers, Paragon’s hacking software is used by government clients and WhatsApp said it had not been able to identify the clients who ordered the alleged attacks.

Experts said the targeting was a “zero-click” attack, which means targets would not have had to click on any malicious links to be infected.

Tags: ,

Posted on February 3, 2025 at 7:05 AM16 Comments

Comments

Clive Robinson February 3, 2025 8:33 AM

Zero-Click, the modern curtain twitching.

From the article we see,

“Experts said the targeting was a “zero-click” attack, which means targets would not have had to click on any malicious links to be infected.”

It’s a bit more complicated than just telling users Do Not “click on any malicious links”…

Without going into lots of details, it’s possible to send somebody a message where the users “Smart Device” phone does something really “Dumb” like “pre fetch” images and the like thus do the equivalent of a user clicking…

But the other thing which really annoys me about people talking glibly about “malicious links” is that even Security Experts can not actually “Positively identify” them as being “malicious links” untill they follow them… So,

“How the heck do we expect ordinary users to be able to magically know every time what links are malicious or not?”

Personally I blame the likes of Microsoft, Google, and other major software developers in the industry. Because they talk a lot about “User Security” and then do just about everything they can to destroy user security in the name of “User Convenience” or some other “Marketing Nonsense”.

Further we know that they can not find vulnerability exploits in code despite their special teams…

Just ask yourself how many times have you heard about “malicious exploits” in the software they say is OK to go in their “Walled Garden” App Stores and similar.

As long as this nonsense goes on then the likes of “Paragon Spyware” will be continued to be developed and made available to be used by all sorts of undesirables and criminals.

If we want to reduce it we have to treat Microsoft abd Google etc like those who “grow or manufacture” drugs. That is send in the military with flame throwers etc. Because if the War-On-Drugs has taught us one thing, “as long as their is product, then a market will exist to trade it”. It’s the same with vulnerabilities lock up the producers and burn the product, then others might learn there “Individual Rights” to push bad product for profit is capped by “Societal Responsability”.

TimH February 3, 2025 1:28 PM

@Clive…also the reporting “WhatsApp said it believed the so-called vector, or means by which the infection was delivered to users, was through a malicious pdf file that was sent to individuals who were added to group chats.” provides no help at all to avoid infection, apart from not have WA installed.

What is the group chat vector? Does the attack use javascipt which can be disabled in Safari?

lurker February 3, 2025 6:25 PM

@TimH

attaching a PDF to a chat message is stupidity,
reading a PDF attached to a chat message is stupidity,
but the chat app is also stupid in opening attachments
without user intervention.

There seems to be no shortage of stupidity.

BTW a recent “update” to Android means that all PDF reading apps now require permissions to “access all files on device”. The fine print in the dialog box says the when the permission is granted the app “can read, write, or delete any file on the device. Access to files may occurr without any notification to the user.”

ResearcherZero February 3, 2025 11:51 PM

There are no regulations that providers have to inform subscribers about the flaws in their networks. Most people do not realise that voice call ‘metadata’ and ordinary text messages are not encrypted. The plain text messages can be read by anyone (including the IMSI which can be monitored by an IMSI Cathcher). All of this data is sent unencrypted over-the-air in 2G, 3G and 4G. Much of the network will contain a mix of these technologies, and providers may use other network providers’ base stations for roaming and other features where they do not themselves have coverage. An attacker can easily see a lot of this information.

No special skill or knowledge is needed to conduct such attacks. It’s dead easy and cheap.

Particularly vulnerable are new customers activating a new SIM or registering a new device on the network. A scammer can see the new activation attempt, who the mobile provider is and the subscriber details, then Cold Call the unsuspecting customer while impersonating the customer support of the mobile provider. Next the scammer will ask the customer for their password and take control of their account/s. These attacks are cheap.

A more advanced attacker can operate their own base station or network equipment and conduct far more advanced attacks. While there are laws allowing governments to use contractors to install ‘lawful intercept’ equipment and middleboxes which allow Deep Packet Inspection or the ability to inject malicious packets, there are no regulations ensuring that network providers must protect and secure all your data passing over their networks.

Vulnerabilities used by spyware operators might be available six to twelve months before a patch is rolled out by vendors. Media and kernel exploits are quite popular and much of the data on messaging platforms like WhatsApp is not encrypted to begin with. Sure they promise to secure your “messages”, but that is a very narrowly defined term excluding other data.
They may also provide your data to partners, 3rd parties, and law enforcement. Sell it. As there are no laws in most jurisdictions protecting the privacy of your personal data (PII), it is all up for grabs, with so many options to harvest it in bulk.

Many cases of spyware that are reported target journalists or members of civil society and all the companies claim their customers are democratic and they only target the “bad guys”. Scammers on the other end of a call claim they are also there to provide you with help. Your identity is just a string off unencrypted characters available to bidders.

ResearcherZero February 4, 2025 12:06 AM

@TimH

The attack vector is WhatsApp and which ever Android and IOS vulnerabilities are currently available to spyware vendors. They are now rolling out patches that include fixes for Qualcomm exploits from earlier last year and other high rated and critical vulnerabilities.

“would you please come down to the station and we can help you with the reported incident.”

‘https://securitylab.amnesty.org/latest/2024/12/serbia-a-digital-prison-spyware-and-cellebrite-used-on-journalists-and-activists/

ReseacherZero February 4, 2025 1:03 AM

For instance, Salt Typhoon used CVE-2021-26855 to gain initial access to telecom companies then plant a backdoor and\or a rootkit. CVE-2021-26855 (ProxyLogon) is a vulnerability in Microsoft Exchange which has had a patch available since 2021, yet remains unpatched in the networks of many telecom providers across the globe. Despite being the top vulnerability of 2021, hundreds of Exchange instances are still unpatched in each global region, along with many other old and new vulnerabilities spread across these telecommunications networks.

It is because of all these systems missing updates that Salt Typhoon could access millions of call records and examine ‘lawful intercept’ capabilities within those systems. These same vulnerabilities allow rootkits to be installed that hide an attackers presence within the system and any other long-term persistence mechanisms needed to regain network access.

TimH February 4, 2025 4:18 PM

@ResearcherZero: “The attack vector is WhatsApp and which ever Android and IOS vulnerabilities are currently available to spyware vendors.” doesn’t answer my question.

Does the attack use the Safari rendering engine?

If so, would disabling Javascript in Safari stop this and similar attacks because the underlying exploit code isn’t allowed to run?

Paragorn February 4, 2025 11:50 PM

@TimH

Android doesn’t normally use the Safari engine, so it is probably more than that. Javascript is a likely culprit (as always) if it is not WhatsApp itself. If isn’t WhatsApp, then there are likely multiple vectors. 90-100 people targeted is a very low probability of being detected, and that would partially explain Meta’s uncertainty.

I can’t find any technical details, but my web search has been significantly degraded over the past few months (maybe try Baidu or Yandex). It’ll probably be quite a while before we have any more details, as this is all very politicized

MDK February 5, 2025 2:16 PM

@ResearcherZero @Bruce et al

You see the CISA/FDA assessment on China’s Contec Patient Monitors? Interesting read.

lurker February 6, 2025 4:33 PM

@MDK

To their credit CISA do relay the FDA advice:
“Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.”

But then they go all woolly about firewalls, and low-privilege sub-nets.
I don’t care if some stooge in Elbonia is reading my vital signs, What I do care about is my hospital administrators not knowing that these devices do not need to be on the internet, and so should not be connected to the internet. Having a totally isolated network for such devices is an interesting problem. q.v. Stuxnet.

Ed February 7, 2025 9:32 AM

Besides tools like Paragon Spyware we now also have UK government ordering Apple to open up users’ encrypted cloud data. So that the UK government can read it.

Presumably this also means any credentials the user may have saved in their cloud keychain.

UK orders Apple to open up users’ encrypted cloud data, report says
‘https://www.reuters.com/world/uk/uk-asks-apple-let-it-spy-users-encrypted-accounts-washington-post-reports-2025-02-07/

Gog February 7, 2025 10:07 AM

@Ed
re: UK access to Apple cloud

UK is part of the Five Eyes. Access will likely not be limited solely to UK.

kurker February 7, 2025 12:33 PM

@Ed

“Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.” [emphasis added]

Funny how a Washington peper should be the first to report this; funny how the UK govt should want any user’s data from anywhere on the planet.

Clive Robinson February 7, 2025 4:19 PM

@ ALL,

With regards the UK Gov and Apple over encryption, the fact that it’s garnered a fair few comments already suggests it’s a matter of interest.

So when you see in an MSM news article,

“Security officials in the United Kingdom have demanded that Apple create a back door allowing them to retrieve all the content any Apple user worldwide has uploaded to the cloud, people familiar with the matter told The Washington Post.”

You need to dig a little deeper.

Firstly the reason it got mentioned in a US newspaper first, is not a sign that the UK MSM is failing. What it tells you is that there are significant “reporting restrictions” but “once the mouse is out of the hole” any cat can chase and pounce on it by quoting or reporting or verifying on what the foreign MSM has printed.

There are still things the UK MSM can not reveal unless they are first formerly revealed to them (and no that does not include “whistleblower statements” or copies of official documents see DORA and the two OSA as well as RIPA and subsequent nonsense legislation “dirty laundry by officialdom” gets hidden behind).

So keep your eyes on non UK MSM for now, however as a UK citizen, whilst I can point you to UK MSM reporting as I have done, pointing to non-UK MSM can get me into rather more than hot water.

But there are other “Technical Things” I can say that although the UK-Gov would very much rather I did not… As they have been in the “Public Domain” for quite some time and are the consequences of what are in effect “laws of nature and mathematics” I’m reasonably safe.

One such is to point out “Shannon Channels” and how they relate to cryptography.

Every communications path is a “Shannon Channel” basic information theory that really can not be “arm waved against” says that every channel that carries information must have redundancy within it to be able to do so. It’s one of Shannon’s fundamental points and it’s quite important.

Another researcher pointed out that if there is redundancy, then you can use this to set up a Shannon Channel within a Shannon Channel.

More importantly it was also shown that information “meaning” in the inner channel can be kept from any and all outer Shannon Channels.

Thus the UK-Gov request fails.

Because Apple can not give the meaning of what is in the “Inner Shannon Channel” unless certain information has been made available to Apple.

At the simplest level if Apple do not have access to the “Secret Key” used to encrypt the messages all they can hand over is the encrypted files and whatever public Meta-Data exists about them. Whilst with sufficient Meta-Data it might be possible to deduce Meta-Meta-Data, that would mostly require simple failures by the 1st & 2nd parties in the communications. This information in a more extended form has been in various “undergraduate text books” for years and also in declassified information about the likes of TEMPEST and Traffic-Analysis. Fun thing some of those undergraduate texts are actually “Physics texts” not “Communications or Information texts”.

I’ve previously described how to use One Time Pad encryption to give “deniable encryption” that is as sent apparently “plain text” thus it’s near impossible to show there is a Shannon Channel within a Shannon Channel.

Thus with a little thought, it’s possible to neuter the UK-Gov requests, and if you go about things the right way little they can do unless they decide “Disappearing You” in one way or another is their only method of persuasion.

Which is why the original “Regulation of Investigatory Powers Act”(RIPA) contains legislation to that effect. That said so far as far as we can tell Judges recognise the danger of this and either do not allow it or give very minimal sentencing.

The problem for most users of encryption is they are not very switched on, thus they take the word of “Application Developers” need I say,

“This is actually worse than rolling your own crypto”

In oh so many ways.

I still recommend using “off communications device” encryption and “hand to hand KeyMat exchange”.

Where the encryption is “Perfect Secrecy” based and produces “plain text” as enciphered text using no more than pencil and fast burn “flash paper”.

If you want security in a modern heavily backdoored technical gizmo world, you actually have little choice than to go “Old School” of World War II SOE etc techniques. That likewise have been sufficiently documented in the Public Domain.

ResearcherZero February 8, 2025 2:33 AM

@ALL, @Clive

Old school is the best.

Secret order would give the UK access to encrypted backups belonging to any user.

“Apple would not be permitted to alert users that their encryption was compromised.”

‘https://www.theverge.com/news/608145/apple-uk-icloud-encrypted-backups-spying-snoopers-charter

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.