The Citizen Lab research group at the University of Toronto has conducted an analysis of attacks involving spyware developed by Israeli company Paragon Solutions, which led to the discovery of a zero-day vulnerability in Meta’s WhatsApp communications application.
Paragon has been around since 2019 and its spyware is called Graphite. The company claims that — unlike NSO Group and other surveillance firms whose solutions have been used by authoritarian regimes to target activists, politicians and journalists — it has safeguards in place to prevent such abuse.
Citizen Lab has found evidence of Graphite use in Australia, Canada, Denmark, Singapore, Israel and Cyprus. There is some indication that the spyware has been used by police in Canada.
The Graphite spyware made headlines recently over its use against people in Italy, including against Android and iPhone device users. The Italian government in February denied spying on journalists and migrant activists with the Paragon spyware.
Meta recently warned 90 users across two dozen countries that they had been targeted with Paragon spyware over WhatsApp.
At least some of these attacks involved exploitation of a WhatsApp zero-day that did not require any user interaction, according to Citizen Lab.
“We shared details about our mapping of Paragon’s infrastructure with Meta, because we believed that WhatsApp might be used as an infection vector. Meta told us that these details were pivotal to their ongoing investigation into Paragon. Meta shared information with WhatsApp that led them to identify, mitigate, and attribute a Paragon zero-click exploit,” Citizen Lab said.
WhatsApp exploits, particularly zero-click exploits, can be highly valuable.
WhatsApp has not released an advisory for the vulnerability and does not appear to have assigned a CVE identifier, which indicates that the zero-day was likely fixed on the server side and users do not need to take any action.
In addition to the use of a zero-day vulnerability, WhatsApp confirmed to Citizen Lab that an Android component tracked as BigPretzel, which has been involved in attacks targeting its users, is also associated with Paragon.
Citizen Lab noted that the recently uncovered evidence seems to contradict Paragon’s claims regarding the types of entities targeted with its solutions.
“The 90-some targets notified by WhatsApp likely represent a fraction of the total number of Paragon cases. Yet, in the cases already investigated, there is a troubling and familiar pattern of targeting human rights groups, government critics, and journalists,” Citizen Lab said.
UPDATE: WhatsApp representatives told SecurityWeek they were able to address the vulnerability — which they describe as an ‘attack vector’ — late last year, without the need for a client-side fix. The attacks involved using groups and sending a PDF file.
Related: Apple Ships iOS 18.3.2 to Fix Already-Exploited WebKit Flaw
Related: NSO Group Used at Least 3 iOS Zero-Click Exploits in 2022: Citizen Lab
Related: North Korean Hackers Distributed Android Spyware via Google Play
