NSO Group says that its Pegasus spyware is merely a tool for investigating terrorism and crime, and leaves no trace at all. However, an investigation released by The Guardian earlier today reveals it to be spyware for authoritarians to target their political opponents.

A leak of 50,000 phone numbers, and its analysis, conducted by Forbidden Stories with support of Amnesty International’s Security Lab, focuses on one specific tool. Named Pegasus, it’s hacking spyware, owned by the Israeli NSO Group. The spyware acts through iPhone and Android mobile devices and lets it access messages, emails, photos, or even secretly record calls and activate microphones.

Who are its users? At least 10 governments: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia, and the United Arab Emirates (UAE). The majority of the numbers were looked up by three countries. Mexico had 15,000 requests, while Algeria and the UAE had 10,000 requests each.

The leak reveals – it was not only data from criminals and suspected terrorists. It was also journalists, human rights activists, and lawyers.

Who is affected by the Pegasus spyware?

There is very credible proof to show that the Pegasus tool was used to combat criminal activity and terrorism. The leaked data included plenty of information about suspected criminals.

However, the data from the 50,000 leaked numbers also included information from more than 180 journalists, covering major outlets, such as CNN, the New York Times, France 24, and more. The list also included the number of the murdered Mexican reporter, Cecilio Pineda Birto – it was requested in the weeks prior to his death. His phone was not found at the crime scene.

A further peer-reviewed study, conducted by Amnesty’s Security Lab, collected a sample of 67 phones from various journalists, lawyers, and human rights activists. Some Pegasus spyware activity was found of 37 of them.

NSO denies that its tools could be targeting non-criminal subjects, and in a response, later on, denies all claims, but commits to investigate all credible ones. The company denies the possibility that the list was “targeted by governments using Pegasus”, and called the overall 50,000 figure as overstated.

Just last month, in a transparency report, NSO claimed to have a leading approach to human rights and showed that the contracts bind the customers to use the spyware for criminal and national security investigations.

Both the study and the response point to the possibility that the governments may have breached their contracts and used the Pegasus tool to get information on journalists and political opponents.

How does Pegasus spyware work?

Pegasus is RAT (Remote Access Trojan) which can gain access to pretty much every consumer phone: even the most up-to-date iPhone and Android models.

Back in the day, it was much less powerful. Just in 2016, Pegasus was pretty rudimentary. Using a spear-fishing technique, it simply tried to trick the targets into clicking a malicious link.

But it’s not as simple anymore. Now, Pegasus can go through a device with a “zero-click” attack, meaning it does not require any interaction from the phone’s owner to be installed. One of the most common ways to get the data is to go exploit a zero-day vulnerability, which happens when an early version of the updated software still includes some exploitable bugs.

Very popular targets for the software were WhatsApp, or iMessage – because of how popular they are. In iMessage’s case, it even comes preinstalled on every iPhone.

If neither of these options, Pegasus can simply be installed over a wireless receiver placed next to a target, or just manually installed if the agent gains access to the target’s phone.

From there, Pegasus has harvest pretty all the information placed on the phone. That means your SMS messages, address books, emails, calendars, calls, browser history, passwords, social media, are all available.

We will update this story, as more new facts come in.