A recent report by The Citizen Lab has identified the governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore as likely customers of spyware developed by the Israeli company Paragon Solutions.
Paragon, which was founded in 2019 by Ehud Barak and Ehud Schneorson, is the creator of a surveillance tool called Graphite, capable of extracting sensitive data from instant messaging applications on a device.
The interdisciplinary lab identified these six governments as “suspected Paragon deployments” after analyzing the server infrastructure associated with the spyware.
This development comes nearly two months after Meta-owned WhatsApp announced that it had notified approximately 90 journalists and civil society members that they were targeted by Graphite, with the attacks being disrupted in December 2024.
The targets of these attacks were spread across over two dozen countries, including several in Europe, such as Belgium, Greece, Latvia, Lithuania, Austria, Cyprus, Czech Republic, Denmark, Germany, the Netherlands, Portugal, Spain, and Sweden.
According to a WhatsApp spokesperson, “This is the latest example of why spyware companies must be held accountable for their unlawful actions. WhatsApp will continue to protect people’s ability to communicate privately.”
In these attacks, the targets were added to a WhatsApp group and sent a PDF document, triggering a now-patched zero-day vulnerability to load the Graphite spyware. The final stage involved escaping the Android sandbox to compromise other apps on the targeted devices.
Further investigation of hacked Android devices has revealed a forensic artifact known as BIGPRETZEL, which is suspected to uniquely identify infections with Paragon’s Graphite spyware.
Evidence has also been found of a likely Paragon infection targeting an iPhone belonging to the Italy-based founder of the organization Refugees in Libya in June 2024. Apple addressed the attack vector with the release of iOS 18.
According to Apple, “Mercenary spyware attacks like this one are extremely sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals because of who they are or what they do.”
Apple also stated, “After detecting the attacks in question, our security teams rapidly developed and deployed a fix in the initial release of iOS 18 to protect iPhone users, and sent Apple threat notifications to inform and assist users who may have been individually targeted.”
