121 Indians were targets of a massive snoop through an Israeli spyware that broke into phones through WhatsApp, the Facebook-owned company had informed Indian authorities in the last week of September, as first reported by the Indian Express and confirmed by sources to NDTV. This was the second alert after May, according to sources, which was sent by the messaging platform to Indian authorities about the privacy breach.
All 121 users were reportedly alerted about the security breach.
The centre on Thursday demanded an explanation from the social networking app after it admitted that Indian journalists and human rights activists were among those globally spied upon by unnamed entities using an Israeli spyware Pegasus.
The spyware Pegasus gets into the user's phone when the person gets a video call. As the phone rings, the attacker transmits a malicious code and the spyware is installed even if the user does not answer the call at all. By taking over the phone's systems, the attacker gets access to the user's WhatsApp messages and calls, regular voice calls, passwords, contact lists, calendar events, phone's microphone and camera.
It can even turn on the camera and mic to track and hear what is happening around the user.
"Government of India is concerned at the breach of privacy of citizens of India on the messaging platform WhatsApp. We have asked Whatsapp to explain the kind of breach and what it is doing to safeguard the privacy of millions of Indian citizens," said Union Minister Ravi Shankar Prasad said on Friday, denying government's role as alleged by some activists.
"Government is committed to protecting privacy of all Indian citizens. Government agencies have a well-established protocol for interception, which includes sanction and supervision from highly ranked officials in central and state governments, for clear stated reasons in national interest," the minister added.
India is WhatsApp's biggest market with 400 million users. In a statement, the Facebook-owned company on Friday said it had "worked quickly to resolve the issue" after sending the first alert to the Indian authorities in May. Both the alerts were reportedly sent to the Computer Emergency Response Team (CERT-In), a department under the Ministry of Electronics and Information Technology.
"Our highest priority is the privacy and security of WhatsApp users. In May we quickly resolved a security issue and notified relevant Indian and international government authorities," a company spokesperson said in the statement.
"Since then we've worked to identify targeted users to ask the courts to hold the international spyware firm known as the NSO Group accountable," the statement read.
"We agree with the government of India it's critical that together we do all we can to protect users from hackers attempting to weaken security. WhatsApp remains committed to the protection of all user messages through the product we provide," it added.
Government sources, however, denied the claims, saying WhatsApp only informed them about the vulnerability of their app in "technical jargon" in May and that the company made no mention of Pegasus spyware and Indian users being targeted.
While WhatsApp has refused to provide the exact number of users targeted across the globe, Facebook has sued Israeli firm NSO for $75,000 for illegally using WhatsApp servers to sneak Pegasus spyware into 1,400 phones across 20 countries.