In the last one week, reports about NSO Group’s dealings with state agencies have surfaced in three different countries — the United States, Ghana, and Mexico. The controversial Israeli spyware company had pitched its products to American police, Motherboard reported. Three former high-ranking officials in Ghana were sentenced to prison for “clandestinely” purchasing Pegasus, Modern Ghana reported. The Mexican government said that the previous government had purchased it and the incumbent government was investigating its purchase.

NSO Group pitched proto-Pegasus to San Diego Police

The NSO Group, whose software — Pegasus — was used to spy on 121 Indians using a vulnerability in WhatsApp, pitched its products to American Police as well, Motherboard reported on May 12. The products included Phantom, a hacking product that “remotely and covertly extracts all data from any smartphone”, as per the brochure shared by Motherboard. Since the story broke,  American Senator Ron Wyden (Democrat) has already called for “aggressive oversight” over the sale of the NSO Group’s tools to American police, according to the Register. Wyden, who heads the Senate Finance Committee, had called for examining the possibility of the NSO Group and other foreign surveillance companies hacking US citizens and called it a “serious national security issue” in the wake of WhatsApp’s lawsuit.

Phantom is reportedly the “brand name” for Pegasus in the United States, the spyware that was also used to target human rights activists and lawyers UAE, Mexico, etc. As per the brochure, Westbridge Technologies is the North American branch of the NSO Group which is based in Bethesda, Maryland, something that WhatsApp’s lawsuit against the NSO Group also claimed, but the NSO Group denied having any American operations in the suit last month.

In a statement to MediaNama, an NSO spokesperson said,

“There are significant legal and contractual constraints concerning our ability to comment on whether a particular government agency has licensed, or considered licensing NSO’s products.

“NSO offers its technology only to verified and authorized government agencies, and we are incredibly proud of our products’ record of helping governments save lives, prevent terror and serious crime worldwide.

“We stand by previous statements that NSO Group products cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology which enables targeting phones with US numbers.” — NSO Group spokesperson

The brochure specified that the NSO Group has “a strong global customer base” in Asia, Africa, Europe and Latin America, thereby suggesting that it has not sold its products in the US, Canada and Australia yet despite having a sales arm there. However, the NSO spokesperson told us, “As stated previously, Westbridge Technologies shares a parent company with NSO but is neither NSO’s subsidiary nor its ‘arm’. NSO exercises no control over Westbridge Technologies.”

The product was pitched to the San Diego Police Department in April 2016 by an employee of Westbridge Technologies. At the time of pitching, a former NSO employee told Motherboard, Phantom was “1-click except for Blackberries which were 0-click”. A 0-click attack needs no engagement from the target, while a 1-click attack requires the target to click on something that the NSO client sends to the phone. When Pegasus was used to target Indians using the WhatsApp vulnerability, it was a 0-click attack since a missed call, which required no engagement from the target, was enough to plant the spyware.

What can Phantom do? Phantom collects all data on the smartphone including: “contact list, text messages, call history, emails, instant messaging, call interception, room wiretap, camera snapshots, calendar, GPS tracking, browser history and app data such as Skype and Facebook”.  It can also monitor WhatsApp, and collect passwords. It can “overcome encryption, SSL, proprietary protocols”. This spyware can “endure the mobile device factory reset” and can identify is the target has used multiple SIM cards. If all that is not enough, the software can also be customised as per the client’s “needs and regulations”. It can be installed remotely with “minimal or no engagement from the target, requires no third party involvement from cell phone carriers, and leaves no trace whatsoever on the device”.

We have reached out to the San Diego Police Department for comment.

Ghana sentences buyers of Pegasus to prison

Three former directors on the board of the country’s National Communications Authority were sentenced to a total of 16 years in prison for their role in “clandestinely” purchasing Pegasus from NSO Group and embezzlement of $4 million of state funds, Modern Ghana reported on May 12. This is the same deal that Facebook cited as evidence of how NSO Group operates via local agents (such as Infraloks Development Limited in this case) when it filed the lawsuit against the NSO Group in October 2019.

The contract had been signed in December 2015 between William Tetteh Tevie, the then Director General of the National Communications Authority (NCA), and George Derek Oppong, Director – Business Development of Infraloks. Tevie has been sentenced to five years imprisonment, and as has Alhaji Salifu Minimina Osman, a former Deputy National Security Coordinator on charges of conspiracy to willfully causing financial loss to the state, contravention of public procurement act and intentionally misapplying public property. Oppong, however, was acquitted of all charges against him. Eugene Baffoe-Bonnie, a former chair of the board of the NCA, has been sentenced to six years, as per the Modern Ghana report.

Although Pegasus cost $6 million, it cost the Ghanaian government $8 million since Infraloks charged $2 million to facilitate the transaction, as per the facts presented by Attorney General Gloria Akuffo. The spyware was purchased to monitor conversations of terror suspects, as per the Modern Ghana report. National Security reportedly did not have the money to fund the transaction and thus, the NCA, which had supervisory jurisdiction over use of such tools, was asked to fund the project. $4 million were withdrawn from NCA’s account of which $1 million was deposited in NSO Group’s account and $3 million in Oppong’s (of Infraloks).

However, in a statement to MediaNama, the NSO spokesperson said, “NSO Group cannot comment directly on an internal Ghanain government matter, but we understand from local reports that recently announced sentences were for internal misconduct and misappropriation of funds, and had nothing to do with any alleged deed or action by NSO Group.”

Mexico is investigating purchase of Pegasus by former government

The Mexican Secretariat of Security and Civilian Protection, on May 7, said that the Office of the Special Prosecutor for Attention to Crimes against Freedom of Expression was investigating the purchase of Pegasus and its subsequent deployment. As per the Secretariat, the software was acquired by the Centre for Investigation and National Security (now called National Information Centre) of the former President Enrique Peña Neito in 2014 and its licence expired in 2017; it was not renewed. At the instructions of Mexico’s National Institute for Transparency, Access to Information and Protection of Personal Data (INAI), the Attorney General’s office was forced to uninstall the software due to complaints received about the “discretionary use” of Pegasus. Mexican national daily La Jornada first reported this.

According to the Secretariat, the current government, led by President Andrés Manuel López Obrador, has not used Pegasus as it “decided not to renew the operating licence”. However, Obrador came to power in December 2018 and the licence is expired in 2017. The Citizen Lab, a research group based in the University of Toronto, had reported that the Mexican journalists investigating cartels, lawyers, and politicians had been targeted with Pegasus in 2017.