Recently, former Egyptian MP was targeted with Cytrox’s Predator spyware, delivered via links on SMS and WhatsApp.
Apple released an update to fix the bug used in the attack on MP’s device.

History of spyware use against political opponents

The Pegasus Project in 2021 revealed widespread use of spyware targeting more than 50,000 phone numbers in 50 countries.
Spyware attacks have been reported in countries including India, Azerbaijan, Bahrain, Hungary, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the UAE.
Spyware, such as Pegasus, was used to target journalist Jamal Khashoggi’s wife before his murder in the Saudi consulate in Istanbul.

Definition of spyware and commercial spyware

Spyware is malicious software that infiltrates a device, gathers sensitive data, and transmits it to a third party without the user’s consent.
Commercial spyware is used by governments and law enforcement agencies for legal investigations but has been exploited by authoritarian governments against political opponents.
Commercial spyware like Pegasus can access and control a device’s camera and microphone without the user’s knowledge.

Methods of targeting devices

Spyware can be delivered through malicious links, SMS messages, or network injections.
Zero-day vulnerabilities, even unknown to device manufacturers, are often exploited to deliver spyware.
Spyware is capable of zero-click attacks, infecting devices without user interaction.
Between 2011 and 2023, at least 74 governments contracted with commercial firms for spyware or digital forensics technology.
Autocratic regimes are more likely to procure targeted surveillance technologies.
Various governments and agencies have been reported to use spyware, including India, the U.S., Mexico, the UAE, and Saudi Arabia.

Challenges and backlash against spyware firms

Inconsistencies in democratic governments’ responses and regulatory fragmentation enable spyware use.
The Pegasus Project led to the blacklisting of the NSO Group by the U.S., but other companies have filled the gap.
Germany’s FinFisher and Italy’s Hacking Team were dominant players in the spyware market prior to Pegasus.
Israel is the leading exporter of spyware, but concerns about human rights have not been adequately addressed in export licensing.

Tech Companies’ Responses

Tech giants like Meta, Google, and Apple have taken steps to address spyware threats.
Apple and Google have released updates to fix spyware-exploited software bugs.
Apple introduced “Lockdown Mode” for high-risk individuals to protect against spyware attacks.
WhatsApp pursued a lawsuit against NSO Group for exploiting its software, seeking an injunction and damages.
The current U.S. administration has supported the lawsuit against NSO Group.

Cyber Surakshit Bharat Initiative (2018): Spreads awareness about cybercrime and enhances the cybersecurity capacity of Chief Information Security Officers (CISOs) and IT staff in government departments.
National Cybersecurity Coordination Centre (NCCC) (2017): Monitors internet traffic and communication metadata to detect real-time cyber threats.
Cyber Swachhta Kendra (2017): A platform for users to clean their computers and devices from viruses and malware.
Indian Cyber Crime Coordination Centre (I4C): Recently inaugurated by the government.
National Cyber Crime Reporting Portal: Launched pan India to report cybercrimes.
Computer Emergency Response Team – India (CERT-IN): The nodal agency dealing with cybersecurity threats like hacking and phishing.
Information Technology Act, 2000.
Personal Data Protection Bill, 2019.

International Mechanisms

International Telecommunication Union (ITU): A specialized agency within the United Nations focusing on standardization and development of telecommunications and cybersecurity issues.
Budapest Convention on Cybercrime: An international treaty addressing Internet and computer crime by harmonizing national laws and promoting cooperation among nations (India is not a signatory).

Malware: Includes ransomware, spyware, worms, viruses, and Trojans, designed to cause harm to computers, servers, or networks.
Phishing: Involves deceptive emails and websites to gather personal information.
Denial of Service (DoS) Attacks: Aim to make a machine or network inaccessible by overwhelming it with traffic or causing a crash.
Man-in-the-Middle (MitM) Attacks: Attackers insert themselves into two-party transactions to intercept and steal data.
SQL Injection: Targets servers with malicious code to retrieve unauthorized information from databases.
Cross-Site Scripting (XSS): Injects malicious code into websites, affecting users’ browsers when they visit the attacked site.
Social Engineering: Manipulates human interactions to trick users into compromising security procedures and revealing sensitive information.

Commercial Spyware