Amnesty supports Apple warnings about Indian government and Pegasus spyware


Amnesty International has confirmed what Apple had warned about in late October – that the government of India is using the infamous Pegasus spyware to target journalists and the opposition.

In late October, Apple warned Indian journalists and opposition politicians that the government was targeting their iPhones in continuous state-sponsored attacks.

There was no official statement from Appl. But over half a dozen Indian lawmakers, belonging to parties that oppose the prime minister Narendra Modi’s ruling Bharatiya Janata Party, said they had received threat notifications from the tech giant – as did several high-profile journalists.

ADVERTISEMENT

India reacted furiously. Government officials publicly questioned Apple’s alleged findings, said the firm’s algorithms were faulty, and announced an investigation into the security of Apple devices.

The Washington Post also said officials were angrily pushing Apple’s representatives in India to retract the warnings. But the company – it already filed a lawsuit against the Israeli company NSO Group, the creator of Pegasus spyware – stood firm.

Needless to say, India hasn’t bothered to publicly confirm or deny using the Pegasus tool. But now, Amnesty International, the globally-active nonprofit advocacy group, says it found the invasive spyware on the iPhones of prominent journalists in India.

Amnesty’s statement says that forensic investigations by Amnesty International’s Security Lab confirmed that Siddharth Varadarajan, founding editor of The Wire, and Anand Mangnale, the South Asia Editor at The Organised Crime and Corruption Report Project (OCCRP), were among the journalists recently targeted with Pegasus spyware on their iPhones, with the latest identified case occurring in October 2023.

The organization also claimed that the revelation comes amid “an unprecedented crackdown” by the Indian authorities on freedom of peaceful expression and assembly.

“Our latest findings show that increasingly, journalists in India face the threat of unlawful surveillance simply for doing their jobs, alongside other tools of repression including imprisonment under draconian laws, smear campaigns, harassment, and intimidation,” said Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab.

“Despite repeated revelations, there has been a shameful lack of accountability about the use of Pegasus spyware in India which only intensifies the sense of impunity over these human rights violations.”

Amnesty’s Security Lab undertook a forensic analysis on the phones of individuals around the world who received these notifications, including Varadarajan and Mangnale. It found traces of Pegasus spyware activity on devices owned by both Indian journalists.

Researchers recovered evidence from Mangnale’s device of a zero-click exploit which was sent to his phone over iMessage on 23 August 2023, and designed to covertly install the Pegasus spyware. The phone was running iOS 16.6, the latest version available at the time.

ADVERTISEMENT

A zero-click exploit refers to malicious software that enables spyware to be installed on a device without requiring any user action from the target, such as clicking on a link.

In its statement, Amnesty has once again called on all countries to ban the use and export of highly invasive spyware. India is singled out, though.

“To ensure transparency, Indian authorities should also publicly disclose information about any previous, current or future contracts with private surveillance companies, including with NSO Group,” said Amnesty.