NSO Claims Its WhatsApp Spyware Can Universally Hack iCloud, Google, Facebook, Amazon, Microsoft Cloud Data

An Israeli company that managed to hack WhatsApp earlier this year is now claiming it has developed new software that can stealthily swipe cloud data from Amazon, Apple, Facebook, Google, and Microsoft. It can even bypass two-factor authentication and warning emails on target devices.

Developed by NSO Group, the software is called Pegasus. Apparently it has been used for several years by various governments and spy agencies to gather data from smartphones, presumably from people of interest for one reason or another. The latest iteration, however, extends past smartphones and can pluck data from the cloud.

People who are supposedly familiar with NSO Group's sales pitch told Financial Times that Pegasus can gather a person's full history of their location data, archived messages, and photos. If true, it calls into question the security (or lack thereof) employed by some of the biggest names in tech.

According to the report, the latest version of Pegasus works by copying authentication keys to services such as Google Drive, Facebook Messenger, iCloud, and others. It then clones the login information from the phone to a separate server, allowing that server to impersonate the phone. It can even spoof the phone's location. Once that is done, an attacker has access to all of the user's cloud data.

It's said that Pegasus can infect the latest Android and iPhone handsets. Once a device is hacked, the attacker has unfettered access, even if the infected phone is wiped clean.

"This has got to be a serious wake-up call for a lot of companies," John Scott-Railton, a senior researcher at the University of Toronto’s Citizen Lab, told FT. "It accelerates the need for stronger forms of device authentication."

NSO Group maintains that it does not market hacking tools or mass-collection capabilities to cloud applications or services, though it did not deny that it has the capability to do so.

Amazon, Microsoft, and others offered up mostly canned statements (except for Google, which declined to comment). Apple was perhaps the most forthcoming about the situation, acknowledging to FT that "some expensive tools may exist" for these kinds of targeted attacks, but they're used on a "very small number of devices" and are not very useful for attacking consumers.