ASUS has released updates to address two security flaws impacting ASUS DriverHub that, if successfully exploited, could enable an attacker to leverage the software in order to achieve remote code execution.
DriverHub is a tool that's designed to automatically detect the motherboard model of a computer and display necessary driver updates for subsequent installation by communicating with a

ASUS Patches DriverHub RCE Flaws Exploitable via HTTP and Crafted .ini Files

A list of topics we covered in the week of May 4 to May 10 of 2025

May 9, 2025 - Google announced it will equip Chrome with an AI driven method to detect and block Tech Support Scam websites

May 8, 2025 - As per a recent FBI warning, criminals are phishing users of payroll, and similar platforms to not only steal their credentials but also their funds.

May 8, 2025 - We're rolling out a brand new feature in Malwarebytes for iOS: the ability to block Google sponsored ads directly on Safari.  

May 8, 2025 - The age of AI guessing our passwords is upon us, and we need to change the ways we authenticate and use passwords where we have no alternatives.

May 8, 2025 - Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

 A week in security (May 4 &#8211; May 10) 

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware.

Meta has won almost $170m in damages from Israel-based NSO Group, maker of the Pegasus spyware. The ruling comes after a six-year legal case against the company after Meta accused it of misusing its servers to spy on users.

According to the original complaint against NSO Group, filed in October 2019, the spyware vendor used WhatsApp servers to send malware to around 1400 mobile phones. The purpose was to gain access to the messages on those devices, which were typically used by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

NSO Group reverse engineered WhatsApp’s software and developed its own software and servers to send messages to victims via the WhatsApp service that contained malware. That malware installed itself on the victims’ smartphones using a zero-click attack, meaning that the victim didn’t have to take any action such as opening an link or even answering a call for the compromise to happen; it was enough simply for the message to arrive.

A judge ruled in December that NSO Group had repeatedly dodged requests to provide its code for review, and granted Meta partial summary judgment over the vendor. That set up conditions for a trial to determine damages that started in late April.

NSO Group reportedly argued that Facebook lost nothing as part of the attack, arguing that it should pay the minimum amount in damages. However, the jury awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

NSO Group is no stranger to controversy. The US federal government blacklisted it in 2021 for enabling foreign governments to spy on a range of people in acts of “transnational repression”. The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world. The European Data Protection Supervisor recommended an EU ban on the technology in 2022, although this has not yet happened.

The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta. The organization commented:

> “This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus,”

One takeaway stands out for our readers: end-to-end encryption is important for privacy, but it is not enough on its own.

As Meta pointed out in its complaint, NSO couldn’t decrypt WhatsApp messages in transit to users because they are encrypted when they’re sent from one device and stay unreadable until they’re decrypted by the receiving device. However, that doesn’t stop someone from reading the messages after they’re decrypted by the receiving device—someone who compromises your smartphone or PC has control over all of the data on it, including those decrypted messages.

For consumers, this means applying more layer of protection in the form of regular updates, security software, and cybersecurity awareness. Never open links, files, or videos from someone you don’t know. Be skeptical even if they’re from someone you do know—we recommend checking with them over a different channel first to ensure it was really them that sent it.

In this case, even that would not have enough, because NSO Group was able to infect phones without the victim even answering the call. Attacks this sophisticated often target people with sensitive roles such as journalists, activists, and government workers. Google has an advanced protection program for people like this, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 WhatsApp hack: Meta wins payout over NSO Group spyware 

US jury orders NSO Group to pay $168M to WhatsApp and Meta over Pegasus spyware use in 2019…

US jury orders NSO Group to pay $168M to WhatsApp and Meta over Pegasus spyware use in 2019 hack. Meta calls it a major step for user privacy protection.

A US federal jury has ruled in favour of WhatsApp and its parent company Meta, ordering Israeli spyware firm NSO Group to pay nearly $168 million in damages. The verdict follows years of legal battles over NSO’s use of its Pegasus spyware to infiltrate WhatsApp users’ devices.

The decision comes after WhatsApp first filed a lawsuit in 2019, accusing NSO Group of using a vulnerability in the platform’s video calling feature to install spyware on approximately 1,400 devices. Victims included journalists, human rights activists, diplomats, and others across multiple countries.

According to court filings (PDF), NSO’s Pegasus spyware was deployed by sending a WhatsApp call that didn’t even need to be answered. Once the call was placed, the malicious code would install itself, granting access to private messages, calls, camera feeds, and more.

The jury awarded $167.25 million in punitive damages and over $440,000 in compensatory damages to WhatsApp and Meta, bringing the total close to $168 million. Meta said the ruling represents a strong message against surveillance-for-hire businesses and a win for digital privacy.

“The jury’s decision to force NSO to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and our users worldwide,” said Meta in a statement following the ruling. The company added that it would continue pushing for stronger legal protections for users and tougher consequences for those abusing digital surveillance tools.

NSO Group has consistently denied wrongdoing, claiming its software is only sold to vetted government agencies for lawful use in preventing crime and terrorism. In response to the ruling, NSO announced its plans to appeal, reiterating that its tools were not intended to target individuals indiscriminately.

“We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies,” Gil Lainer, vice president of global communications for NSO Group, said in a statement Tuesday.

“We will carefully examine the verdict’s details and pursue appropriate legal remedies, including further proceedings and an appeal,” Lainer added, adding that the company “remains fully committed to its mission to develop technologies that protect public safety” while working within legalities.

Legal experts note that the ruling could set a precedent for holding spyware developers accountable in civil courts, especially when their tools are used against individuals without legal oversight. While NSO faces other lawsuits worldwide, this case may become a turning point in how private surveillance firms are treated under U.S. law.

The lawsuit and resulting fine also show the growing industry of commercial spyware, where private companies create powerful surveillance tools often used far beyond their original purpose. Pegasus has become one of the most high-profile examples due to its widespread use and the sensitivity of its targets.

Nevertheless, Meta’s victory not only brings a degree of closure to a five-year legal dispute but also pressures other spyware vendors to reconsider how their technologies are used and sold. Whether the fine leads to overall changes in the spyware industry remains to be seen, but it’s clear the legal risks are rising.

Israeli NSO Group Fined $168M for Pegasus Spyware Attack on WhatsApp

A federal jury on Tuesday decided that NSO Group must pay Meta-owned WhatsApp WhatsApp approximately $168 million in monetary damages, more than four months after a federal judge ruled that the Israeli company violated U.S. laws by exploiting WhatsApp servers to deploy Pegasus spyware, targeting over 1,400 individuals globally.
WhatsApp originally filed the lawsuit against NSO Group in 2019,

NSO Group Fined $168M for Targeting 1,400 WhatsApp Users With Pegasus Spyware

ASUS has disclosed a critical security flaw impacting routers with AiCloud enabled that could permit remote attackers to perform unauthorized execution of functions on susceptible devices.
The vulnerability, tracked as CVE-2025-2492, has a CVSS score of 9.2 out of a maximum of 10.0.

"An improper authentication control vulnerability exists in certain ASUS router firmware series,"

ASUS Confirms Critical Flaw in AiCloud Routers; Users Urged to Update Firmware

A new variant of the hello pervert emails claims that the target's system is infected with njRAT and spoofs the victims email address

In a new version of the old “Hello pervert”  emails, scammers are relying on classic email spoofing techniques to try and convince victims that they have lost control of their email account and computer systems.

Email spoofing basically comes down to sending emails with a false sender address, a method in use in various ways by scammers. Obviously, pretending to be someone else can have its advantages, especially if that someone else holds a position of power or trust with regards to the receiver.

But sending a message to the victim’s from their _own_ email address might convince the victim that they have lost access over their own account.

The text of the email roughly looks like this:

> “As you may have noticed, I sent you an email from your email account
> 
> This means I have full access to your account
> 
> I’ve been watching you for a few months
> 
> The thing is, you got infected with a njrat through an adult site you visited
> 
> If you don’t know about this, let me explain
> 
> The njrat gives me full access and control over your device.
> 
> This means I can see everything on your screen, turn on the camera and microphone, but you don’t know it
> 
> I also have access to all your contacts and all your correspondence.
> 
> On the left half of the screen, I made a video showing how you satisfied yourself, on the right half you see the video you watched.
> 
> With a click of a mouse I can send this video to all your emails and contacts on social networks
> 
> I can also see access to all your communications and messaging programs that you use.
> 
> If you want to avoid this,
> 
> Transfer the amount of 1200 USD to my bitcoin address (“write buy bitcoin or find for bitcoin exchange if you don’t know”)
> 
> My Bitcoin address (BTC wallet): 1FJg6nuRLLv4iQLNFPTpGwZfKjHJQnmwFs
> 
> After payment is received, I will delete the video and you will not hear from me again
> 
> I’m giving you 48 hours to pay
> 
> Do not forget that I will see you when you open the message, the counter will start
> 
> If I see you’ve shared this message with someone else, the video will be posted immediately”

If the victim decides to search for “njrat” they’ll find that it’s a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, upload/download files, view the victim’s desktop, and more.

Scary stuff, and it supports the claims the scammer makes.

But, as with all sextortion scams, this threat is an entirely empty one. There is more than likely no lurid video, no “njrat,” no list of contacts. Instead, there is just a threat which is meant to drive panic which is meant to drive payment.

When we checked, we were happy to see that the scammers’ Bitcoin wallet is empty, although they could have set up a separate one for each victim.

**How to recognize sextortion emails**

Once you know what’s going on it’s easy to recognize these emails. Remember that not all of the below characteristics have to be included in these emails, but all of them are red flags in their own right.

*   The emails often look as if they came from one of your own email addresses.
*   The scammer accuses you of inappropriate behavior and claims to have footage of that behavior.
*   In the email, the scammer claims to have used “Pegasus” or some Trojan to spy on you through your own computer.
*   The scammer says they know “your password” or compromised your account.
*   You are urged to pay up quickly or the so-called footage will be spread to all your contacts. Often you’re only allowed one day to pay.
*   The actual message often arrives as an image or a pdf attachment. Scammers do this to bypass phishing filters.

**What to do when you receive an email like this**

First of all, even if it’s only to reassure yourself, scan your computer with an anti-malware solution that can detect and remove njRAT (if present).

Second, if your computer is clean, check if your email account has not been compromised. Change the password and enable 2FA if possible.

Don’t respond to the scammer, since that will confirm that the email address is in use and the mail is read. This could invoke more emails from scammers.

Don’t let yourself get rushed into action or decisions. Scammers rely on the fact that you will not take the time to think this through and subsequently make mistakes.

Do not open unsolicited attachments. Especially when the sender address is suspicious or even your own.

For your ease of mind, turn off your webcam or buy a webcam cover so you can cover it when you’re not using the webcam.

 “I sent you an email from your email account,” sextortion scam claims 

The Israeli spyware maker, still on the US Commerce Department’s “blacklist,” has hired a new lobbying firm with direct ties to the Trump administration, a WIRED investigation has found.

Shortly after Donald Trump declared victory in November, NSO Group cofounder and majority owner Omri Lavie rushed to X to congratulate him, speaking of a “new chapter where the world goes back to common sense,” while accusing the outgoing Biden administration of being “weak.” In another tweet, he gushed in Hebrew that Republicans “won in every category: the presidency, Congress, Senate, and the popular vote.”

Lavie’s enthusiasm is understandable. His company—frequently associated with alleged human rights abuses, most recently in February when journalists in Serbia were targeted with its Pegasus spyware—had a significant stake in a Trump victory, with the hopes of regaining the ability to freely do business with US entities. In a comment to Amnesty International, NSO stated, in part, that its “commitment to maintain the highest standard of ethical conduct as well as confidentiality towards our customers is paramount and is consistent with industry norms and our legal obligations.”

The Israeli spyware vendor has been on the US Commerce Department’s “blacklist” for more than three years, meaning it cannot do business with US companies without specific government approval. NSO Group poured at least $1.8 million into an aggressive pre-election lobbying effort, focusing primarily on Republican senators and representatives, with some meetings occurring as often as eight times. Yet the company remains on the Entity List.

Now, with a new occupant in the White House, NSO Group appears to be shifting its political strategy.

The company seems to have either terminated or altered its engagement with several of its previous lobbying consultancies in Washington—some of which were closely aligned with the Democrats—and has started working with a key new lobbying partner: the Vogel Group.

Founded by Alex Vogel, who served as chief counsel to former Senate majority leader Bill Frist, the Vogel Group is providing NSO Group with “strategic advisory on cybersecurity policy matters,” according to lobbying disclosure documents filed on March 10.

The Vogel Group’s connection to the Trump administration includes areas of key interest to NSO Group. One of the Israeli spyware vendor’s new lobbyists, Jonathan Fahey, joined Vogel’s Washington, DC, office as a principal on January 29 and served in various roles during Trump's first term, including acting director and acting principal legal adviser at Immigration and Customs Enforcement, deputy assistant secretary at the Department of Homeland Security, and general counsel to the White House Office of National Drug Control Policy—all three relevant departments for a company selling surveillance technology.

Another Vogel Group staffer, Hayden Jewett, is listed in disclosure records as assigned to lobby on behalf of NSO group. Jewett served as a congressional staff liaison to President Trump’s 2016 inauguration, facilitating coordination between congressional offices and the inaugural committee.

Law firm Holtzman Vogel—of which Alex Vogel is a partner—was founded by his wife, Jill Holtzman Vogel, a former Virginia state senator, a former chief counsel of the Republican National Committee (RNC), and a current principal at the Vogel Group. The firm has reportedly worked for the National Republican Senatorial Committee and the National Republican Congressional Committee and received in 2024 over $9.3 million in reported payments, with significant political funding from Republican organizations.

Holtzman Vogel also represented former Metropolitan Police Department lieutenant Andrew Zabavsky, who was pardoned by Trump in January 2025 for his conviction for obstruction of justice related to the investigation into the death of 20-year-old Karon Hylton-Brown, a case that sparked protests ahead of the 2020 US election.

Bill McGinley, a principal at the Vogel Group and former assistant to the president and cabinet secretary during Trump’s first term, left the lobbying firm after Trump appointed him to White House counsel on November 12. He was then reassigned as counsel to the so-called Department of Government Efficiency (DOGE) on December 4, only to leave on January 23.

“Lobbyists and advisers who have passed through the revolving door, having worked in the previous Trump White House or for the campaign, as well as those who are big campaign donors have a unique ability to bend the ear of the new administration,” says Dan Auble, a senior researcher at the nonprofit OpenSecrets, which tracks US political spending. “That access is very valuable.”

NSO Group spokesperson Gil Lainer declined to comment on the scope of the contract with the Vogel Group when asked by WIRED. The Vogel Group did not respond to WIRED’s request for comment.

**Closing the Circle**

NSO Group’s recent lobbying efforts appear to have mainly focused on Republican lawmakers, more than executive branch power players, particularly as the Biden administration had been engaged in a crackdown on commercial spyware. The company previously worked with several lobbying contractors, with whom it appears to have either terminated or altered its registrations.

These include its registrations under Foreign Agents Registration Act (FARA) with Pillsbury Winthrop Shaw Pittman LLP and Chartwell Strategy Group, as well as registrations under the Lobbying Disclosure Act (LDA) with law firms Paul Hastings LLP and Steptoe LLP. Pillsbury previously engaged Chartwell Strategy Group to provide NSO Group with “strategic communications counsel.” Chartwell Strategy Group has now, for the first time, registered under the LDA as a lobbyist for NSO Group, while the only current active registration of NSO Group under FARA is with Paul Hastings LLP.

Lobbyists representing foreign commercial interests—if their work is not intended to benefit a foreign government or political party—can be exempt from FARA and instead register under the LDA, which has no requirement to report specific meetings and is, overall, far less transparent than FARA.

Much of the public knowledge about NSO Group’s lobbying efforts came from FARA filings. Since both the Vogel Group and Chartwell Strategy Group are now registered under the LDA, it will now be more difficult to monitor their lobbying efforts.

Examining NSO Group's past and present consultants reveals numerous individuals who, one way or another, have been associated with the Trump administration. These people are not all lobbyists, but they do have direct connections to Trump world. They include David Tamasi, managing director at Chartwell Strategy and DC chairman of Trump’s 2016 joint fundraising committee, who bundled more than $500,000 for Trump’s campaign and the RNC in 2020, and at least $15,000 in 2024. His firm, a key player in NSO Group’s lobbying, had been actively preparing clients for Trump’s return.

Other NSO-connected figures also have close Trump ties: Bryan Lanza, a partner at Mercury Public Affairs, which consulted for the company from 2020 to 2021, is a veteran Trump ally; Michael Flynn, Trump’s former national security adviser, was paid nearly $100,000 by NSO Group’s parent firms, according to the The Washington Post, and was recently appointed by Trump to a West Point advisory board; Jeff Miller, who raised millions for Trump, received $170,000 from an NSO-linked company and was spotted at Trump’s 2024 election night event at Mar-a-Lago; and Rod Rosenstein, Trump’s former deputy attorney general, represented NSO Group in a lawsuit and previously helped justify Trump’s firing of FBI director James Comey.

Pillsbury Winthrop Shaw Pittman LLP, Chartwell Strategy Group, Paul Hastings LLP, and Steptoe LLP did not reply to WIRED’s request for comment. Nor did Flynn, Miller, or Rosenstein. Tamasi did not respond in time for publication.

**What Counts as a Win**

As of early March—before Vogel Group’s registration as a lobbyist for NSO Group—there had been no indication that the Trump administration intended to remove the company from the Entity List, according to a source familiar with the administration’s moves regarding spyware, who asked not to be named in order to discuss confidential matters. However, recent comments by NSO Group’s Lavie soft-peddled the impact of the Entity List on the company’s ability to operate in the US.

“\[The Americans\], when they say ‘blacklist,’ it sounds much more dramatic to me than it actually is,” Lavie claimed during an interview in Hebrew on an Israeli podcast following Trump’s election. He added: “You can still do business in the United States; it is definitely not a barrier for us to sell in the US.”

“In practice, we are on the list of Commerce, and what this does for us from a regulatory perspective, it simply forces American companies—if we want to buy technology from them—to ask for permission to sell us the technology. That's all,” Lavie said.

​​Lobbying efforts can target different parts of the US government. By lobbying the executive branch (the president and agencies), lobbyists can influence how laws are enforced rather than what the laws say. In contrast, when lobbying Congress, the focus is on passing, blocking, or amending laws by influencing legislators.

For example, for a company to be removed from the Entity List, it must go through a lengthy administrative process that includes a review by an interagency committee composed of representatives from the departments of Commerce, State, and Defense, among others. Although Congress could theoretically influence this process, it is not directly involved.

During the presidential transition period, NSO Group mainly focused on Congress and reached out to at least 10 Republican senators, representatives, and their staff, before beginning its outreach with the incoming administration. On February 2, the company shared its annual transparency report with Trump’s new deputy national security adviser, Alex Wong.

The Vogel Group could play a key role in supporting NSO Group if it attempts to engage with the new executive branch, including the president’s executive office, the National Security Council, and the State, Justice, and Commerce Departments, among other relevant agencies. Such engagement might aim not only at addressing NSO Group’s placement on the Entity List, but also at challenging the spyware-related visa restrictions imposed by the previous administration. In addition, the firm could potentially assist in efforts to roll back Executive Order 14093, signed by President Joe Biden, which continues to restrict the US government’s use of commercial spyware.

Asked whether the Trump administration intends to uphold the EO, White House press secretary Karoline Leavitt declined to comment.

“Much is at stake if the US revokes Executive Order 14093, an order that sets standards on US acquisition of spyware, as access to the US market, and US purchasing power, are great tools in shaping the global scope and scale of the market for spyware,” says Jen Roberts, the Atlantic Council’s associate director of the Cyber Statecraft Initiative and coauthor of a recent major report on the commercial spyware industry. Roberts also highlighted the need to better regulate US outbound investment into such technologies.

**Watching for Signs**

During Trump's first term, the FBI secretly acquired the Pegasus spyware for limited testing in 2019 and seriously contemplated its operational deployment; while during the final months of the administration in 2020, the US initiated a deal that financed the purchase of the Israeli spyware for Colombian security forces, according to the Colombian ambassador to the US and reported by Drop Site News. (The deal was finalized in 2021, after Trump left office.) In an official statement, NSO Group confirmed its dealings with Colombia but denied claims that the software was purchased irregularly. The New York Times also reported that in 2018 the CIA had purchased Pegasus for the government of Djibouti to conduct counterterrorism operations, while the Secret Service held discussions with NSO Group the same year.

The access and influence NSO Group could attain through lobbying efforts by companies like the Vogel Group and Chartwell Strategy Group could lead to a more favorable political environment and, in turn, potentially increase business opportunities under a second Trump administration—something very hard for outsiders to measure, given the opaque nature of government procurement of surveillance technologies.

In the coming weeks and months, NSO Group’s interactions with US government officials, facilitated by its lobbying, will be critical in achieving such a favorable political environment. Caroline Glick, an adviser to Israeli prime minister Benjamin Netanyahu, has also been recently lobbying the Trump White House—among others—on the matter of “request\[ing\] to check for options for lifting sanctions on Israeli technology companies,” according to reports in the Israeli media.

Experts closely monitoring the commercial spyware industry are raising the alarm about the prospect of NSO Group regaining business under Trump—further exacerbated by new reports that the company has been simultaneously pushing its interests on the international stage through the so-called Pall Mall Process, a UK- and France-led initiative to regulate such technologies.

“NSO has become a toxic brand that is widely associated not just with human rights abuses but also with national security threats to US, UK, France, and other countries,” says Natalia Krapiva, senior tech-legal counsel at civil-liberties-focused nonprofit Access Now.

Lainer, the NSO Group spokesperson, tells WIRED that the company “complies with all laws and regulations and sells only to vetted intelligence and law enforcement agencies, which use these technologies daily to prevent crime and terror attacks.” Lainer adds that NSO “has initiated and implemented the industry’s leading compliance and human rights program, which protects against misuse by government entities and investigates all credible claims of misuse”

Ultimately, the current administration will have the final say on how the US regulates NSO Group.

Senator Ron Wyden of Oregon, who has actively worked to address concerns related to surveillance and spyware, tells WIRED that “the Biden Administration blacklisted NSO” because its tool was used to “maliciously targeting journalists, human rights workers, and even US government officials around the world on behalf of foreign dictators and making all Americans less safe.”

“If Donald Trump puts the NSO Group back in business,” Wyden adds, “he'll be directly responsible for opening up new threats to our national security and enabling atrocities by foreign dictators.”

Spyware Maker NSO Group Is Paving a Path Back Into Trump’s America

Citizen Lab's investigation reveals sophisticated spyware attacks exploiting WhatsApp vulnerabilities, implicating Paragon Solutions. Learn how their research exposed these threats and the implications for digital privacy.

Cybersecurity researchers at the Citizen Lab at the University of Toronto have exposed the use of sophisticated spyware named **Graphite**, developed by the Israeli firm Paragon Solutions, to target high-profile individuals through WhatsApp.

Their **investigation** reveals that a previously unknown zero-day vulnerability in WhatsApp’s software allowed the spyware to be installed on devices through a zero-click exploit, allowing adversaries to gain unauthorized access to targeted phones.

For your information **zero-click exploits** mean that a device can be compromised without the user clicking a link, opening a file, or performing any other action.

Attack flow explained (Source: The Citizen Lab)

****Graphite Spyware Servers Worldwide****

Paragon Solutions, established in 2019 by figures including former Israeli Prime Minister Ehud Barak, claims to differentiate itself by adhering to ethical standards, unlike other spyware vendors like the **NSO Group**.

However, Citizen Lab’s researchers mapped out servers attributed to Graphite, and identified suspected deployments against journalists, human rights activists, and government critics across multiple countries. This includes:

*   Italy
*   Israel
*   Canada
*   Cyprus
*   Denmark
*   Australia
*   Singapore

WhatsApp’s parent company, Meta, has confirmed that approximately 90 users in 24 countries were targeted. However, since the researchers are based in Canada; a significant aspect of the investigation focused on a Canadian client, the Ontario Provincial Police (OPP). The analysis uncovered links between Paragon and the OPP, revealing a systematic use of spyware capabilities among Ontario-based police services.

The Italian connection proved to be a focal point of the investigation. Forensic analysis of Android devices belonging to individuals notified by WhatsApp, including journalist Francesco Cancellato and Mediterranea Saving Humans founders Luca Casarini and Dr. Giuseppe Caccia, revealed clear indications of Graphite spyware.

Researchers identified a unique Android forensic artifact, BIGPRETZEL, which confirmed the presence of Paragon’s spyware on these devices. The Italian government initially **denied** any involvement but later **acknowledged** having contracts with Paragon.

Furthermore, the investigation extended to an iPhone belonging to David Yambio, a close associate of the confirmed Paragon targets. Apple threat notifications received by Yambio, coupled with forensic analysis, revealed an attempted infection with novel spyware, subsequently patched by Apple in iOS 18.

In response to Citizen Lab’s findings, Meta, along with Apple and Google, collaborated to address the security vulnerability. WhatsApp implemented a server-side fix, eliminating the need for users to update their apps. Apple also released a patch for its iOS operating system to protect iPhone users.

WhatsApp subsequently **notified** the targeted users. “If we believe that your device has come under threat, we may notify you about it directly via a WhatsApp chat,” the notification read.

****WhatsApp Attacks Persist Despite NSO Group Lawsuit Win****

Hackread.com earlier **reported** that the infamous Israeli spyware company, NSO Group, was held legally liable for compromising hundreds of WhatsApp accounts. Court found NSO Group responsible for breaching WhatsApp’s terms of service and exploiting a vulnerability to install its powerful Pegasus spyware on at least 1,400 devices, targeting journalists, human rights activists, political dissidents, and government officials.

Interestingly, CyberScoop **reported** in November 2024 that NSO Group continued to develop new malware based on WhatsApp exploits, even after Meta filed a lawsuit against them and that when WhatsApp disabled the Eden exploit, NSO Group created the Erised vector to target users until May 2020.

Now, the Citizen Lab’s findings indicate that Israeli spyware firms are continually focusing on exploiting WhatsApp vulnerabilities for spyware deployment and aggressively using them against journalists and activists.  

These cases show the never-ending struggle between technology companies and malicious actors seeking to compromise user privacy and the critical need for continuous caution, stricter security measures, and legal accountability within the spyware industry to protect digital privacy and **human rights**.

Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit

Experts are warning about the proliferating market for targeted spyware and espionage. Why should we be concerned?

Experts are again warning about the proliferating market for targeted spyware and espionage.

Before we dive into the world of targeted spyware, it’s worth looking at a few of the main players that are active in and against this industry.

**Paragon Solutions** is an Israeli company which sells high-end surveillance technology primarily to government clients, positioning its products as essential for combating crime and national security. The name of Paragon’s spyware is Graphite.

However, a lot of controversy arose when it faced allegations over the targeting of specific WhatsApp users, including journalists and civil society members, leading to a cease-and-desist notice from WhatsApp. Following these allegations, Paragon Solutions ended its contract with Italy after Italian citizens were found to have been targeted.

The **NSO group** creates the high-level spyware known as Pegasus, and has also been caught spying on WhatsApp users. The NSO Group justifies the use of Pegasus by saying it’s a beneficial tool for investigating and preventing terrorist attacks and maintaining the safety of the public.

On the opposite side of the fence, **CitizenLab** is an interdisciplinary laboratory based in Toronto, Canada. CitizenLab focuses on studying information controls that impact the openness and security of the internet and pose threats to human rights.

The work done by CitizenLab has led to greater understanding of the global digital surveillance landscape and its implications for human rights.

Often, we will see newly found vulnerabilities in iOS, WhatsApp and other software credited to CitizenLab or one of its associates. They often find these vulnerabilities by analyzing devices of individuals infected with high-level spyware.

In an interview with TheRecord, founder Ronald Deibert said CitizenLab routinely checks people’s phones for spyware. Over time, the researchers at CitizenLab have honed their forensic skills to the level that they can pinpoint the moment of infection for the device right down to the second.

In a recent article, CitizenLab explained in great detail how it cooperated with Meta on uncovering a WhatsApp zero-day vulnerability and how it traced it back to Paragon and the Italian government.

While most of us will, hopefully, never have to deal or worry about getting infected with high-level spyware, we may end up falling victim to the vulnerabilities that are used to infect targets.

Both Paragon and the NSO group have brought many zero-day vulnerabilities to light in browsers and other online applications by using them to compromise mobile devices.

Zero-day vulnerabilities are hard to come by and therefore expensive. But once they are used against victims, there is a good chance that at some point they will be discovered and patched.

But small-time criminals will pick them up and try to use them against people who haven’t had a chance or the time to update their device yet.

Which is why we, on this blog, and through Malwarebytes’ Trusted Advisor, always urge people to keep their devices up-to-date.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

Tag

#asus