Evaluating Espionage-as-a-Service Market Size and Demand

You know that the espionage-as-a-service market is gigantic and that something is wrong with modern communication when “how to spy on Whatsapp” Google search provides about 118,000,000 results.

The number you see above is even bigger, as a lot of hacking tools for compromising instant messengers are put on sale on the Deep Web — the hidden part of The Internet, not indexed by your usual search engines.

If we look over related searches, we will see the following picture:

Granted this lookup only concerns the most popular messenger in the world, the details surrounding it are not limited in their variety. 

If we ask DuckDuckGo about the same issue, we will be provided with the following results.

While this is far from being a revelation, we can’t argue that spying on the app with 2 billion active users gets a lot of interest. 

The information about different ways of violating the privacy of others is freely available and products automated to do that are marketed like an everyday necessity.

Espionage-as-a-Service Marketing In a Nutshell

Whether it is offered to suspecting spouses, concerned parents, or companies that would like to monitor the conversations of their employees, the wording used to encourage potential clients and call-to-actions are unethical.

“Do they spend tremendous amount of time on WhatsApp? Keep an eye on online activity of any WhatsApp number.” [sic]

“Hiding something? Never annoy anyone again with questions. Find out whats going on yourself.” [sic]

“How much does it cost? It will cost you less than buying them a cup of coffee every day.”

There are tutorials on MAC spoofing, guides on exploiting WhatsApp Web, and an abundance of easy-to-use apps that romanticize this activity and find new ways to justify its use.

Some of the videos recorded to advertise the products are professionally narrated and the comment section is flooded with fake reviews.

There are also top 10 rankings, describing the functionality of the apps without saying anything and promising to spy effectively without having to jailbreak or root the target devices. 

Such products tell us that not only WhatsApp users can be compromised, but every popular application used for communication. 

And while there is a lot of noise regarding this market, history shows that it is possible to hijack devices using Android, iOS, and BlackBerry operating systems. 

Critical Vulnerability In WhatsApp That Lead To 1400 Compromised Users

CVE-2019-3568 dates back to May of 2019, and it's a vulnerability that affected over 1400 WhatsApp users, including government officials in more than 20 countries. 

While some cases highlighted compromises via SMS, phone calls via WhatsApp could also be exploited without any interaction from the target. During the start of the call, the target’s phone could be manipulated with a series of SRTP (Secure Real-Time Transport Protocol) packets. 

A buffer overflow vulnerability in VOIP (Voice Over Internet Protocol) stack allowed attackers to run malicious code on targeted devices as if it came from WhatsApp’s signaling servers. 

Compromising calls didn’t even reflect in call logs, which made this attack incredibly covert. Such an attack could alter the return addresses, making it possible for attackers to force a program to run arbitrary instructions and commands that download malicious apps on the device. 

CVE-2019-3568 vulnerability enabled low complexity attacks that led to unauthorized disclosure of information, unauthorized modification, and disruption of services. The issue affected the following versions of WhatsApp: 

• WhatsApp for Android before version 2.19.44 
• WhatsApp for iOS before version 2.19.51
• WhatsApp for Windows Phone before version 2.18.348
• WhatsApp for Tizen before version 2.18.15

Wild Pegasus and The Group Standing Behind It

WhatsApp claimed that Israeli NSO Group stood behind the surveillance code, and it was not the first time this hack-for-hire entity got accused of wrongdoing, as law enforcement investigation technologies offered by NSO (such as Pegasus) are commonly used for surveillance over non-criminals. 

In 2017, the Mexican government allegedly targeted journalists with SMS messages involving malicious links that carried contact list-compromising and keystroke-recording software. 

Saudi Arabia has also been accused of launching attacks against prominent dissidents using NSO Group’s spyware. Omar Abdulaziz had his device compromised for holding communication with Jamal Khashoggi, a journalist dismembered inside the Saudi consulate in Istanbul.

Facebook-owned messenger representatives stated that an investigation carried out by cybersecurity research group CitizenLab confirmed that journalists, lawyers, activists, and human rights defenders have been compromised. The NSO group explained that their products are designed to help governments catch criminals, and takes no responsibility for how their products are used. 

Just like the apps we vaguely talked about earlier.

Pegasus can enable jailbreak on the device and read texts, collect passwords, trace the location and gather data from Gmail, Viber, Facebook, Skype, and even Telegram. 

While updating the apps is a good precautionary step to limit the risk imposed on your privacy by third parties, sometimes just doing that is not enough. The choice of the app used for communication matters too.