Associated Incidents
Researchers are beginning to unravel global surveillance operations targeting journalists, humanitarian aid workers, and other civilians via messaging apps.
On Jan. 31, WhatsApp contacted more than 90 individuals whom it believed had been targeted with spyware developed by Israel-based "Paragon Solutions." Working with three of those victims, and a tip from a collaborator, cyber research organization Citizen Lab has since uncovered more detail about how these spyware operations worked, and homed in on the locations of at least some of its customers, which spread across at least four continents.
"Real governments are in fact using both Android and iOS spyware against both their citizens and foreign citizens," warns Censys senior security researcher Aidan Holland, who took part in the investigation. "It's a crazy time to be alive."
What is the Paragon Mobile Spyware Group?
Paragon Solutions was co-founded in 2019 by a former Israeli Defense Forces (IDF) Unit 8200 commander and former Israeli prime minister Ehud Barak. In 2021 it established a US arm staffed in part by former government employees, including veterans of the Central Intelligence Agency and the US Navy.
Paragon's Android malware, "Graphite," worked a tad differently than typical spyware. Instead of loading itself as a hidden app or process on a device, it latched onto existing legitimate messaging apps users already likely had downloaded. This tactic left behind less forensic evidence on the device itself, but brought app developers into the fold.
In recent cases, attackers would first use a unique, as yet undisclosed means of adding their targets to a particular WhatsApp group. Once added, they'd send the target a PDF file. The target's device would automatically parse the PDF, allowing the payload to exploit a zero-day exploit in WhatsApp itself. Without need for user interaction, Graphite would load into the app and then escape its sandbox, allowing it to spread to other apps as well. Citizen Lab analyzed one phone in which Graphite had spread to two other apps, including "a popular messaging app."
WhatsApp discovered and fixed this zero-click exploit late last year. WhatsApp parent company Meta told Bleeping Computer that the fix was applied entirely on the server side of things --- without any need for users to update --- and thus the company did not assign it a CVE-ID.
While its malware is just as pernicious, Paragon markets itself as a more ethical alternative to the infamous NSO Group. It won't contract with maniacal autocrats so, the logic goes, you can trust that its mission is sound. Meta and Citizen Lab have discovered, however, that Paragon's malware has regularly been deployed against harmless civilians.
Among the latest round of 90 identified targets, for example, three from Italy have now been publicly named: an editor-in-chief of an investigative news outlet and the co-founders of an organization that rescues migrants traveling over the Mediterranean Sea.
Mapping Out Spyware Infrastructure
Italy has a storied history with spyware. To find out where else Paragon's fingerprints could be found, Citizen Lab worked with Censys, a company that maintains somewhere around 4 petabytes (1,000 terabytes) worth of data on Internet-facing assets across the planet.
Starting with just a tip from a collaborator, the researchers extrapolated to discover a range of infrastructure tied to Paragon's developers and customers.
The job is easiest, Holland explains, when naive customers unwittingly expose their surveillance infrastructure. For example, "If NSO Group sold to the Mexican government, the Mexican government would then deploy the software," he says. "Then it's on the people deploying the software to deploy it the correct way and hide the indicators that would point to NSO Group. So they're trusting a random government employee to properly hide spyware. That's not in their job description."
In all, the analysts managed to identify Paragon deployments in Australia, Canada, Cyprus, Denmark, Israel, and Singapore.
Canada proved particularly interesting. The researchers inferred that the connections it found there led to the Ontario Provincial Police, and with further digging, they came across other spyware cases before Ontario courts involving the province's York Regional Police Service, Hamilton Police Service, and Peel Regional Police Service.
Paragon's OpSec Slip-Ups
Paragon itself has not always been so careful in concealing its online presence.
"We went back to the 2021-2022 time frame, when they had yet to hide themselves," Holland recalls. At one point, when the researchers examined a specific range of suspicious Israeli IP addresses, they were met with webpages titled, simply "Paragon." Giggling, Holland wonders "What type of spyware company advertises their website like that?"
He notes, though, "Truthfully, we see this all the time with malware. [A server will announce to us], 'Hey, I'm Cobalt Strike.' Why would you tell me this? Now I can find all the other Cobalt strike servers in existence."
In recent years, Paragon has apparently corrected its errors. "I looked for other instances of [Paragon-branded domains], and there are none in current Internet scanning, at least from our perspective. Mind you, it would have been a perfectly valid technique for Paragon to block Censys so that its stuff wouldn't be indexed, or hide behind a web application firewall (WAF)," he says.
Looking on the bright side, he adds, "This does leave a little bit of room to further investigate them as they evolve."