Citizen Lab also mapped out the server infrastructure used by Paragon to deploy the Graphite spyware implants on targets' devices, finding potential links to multiple government customers, including Australia, Canada, Cyprus, Denmark, Israel, and Singapore. On January 31, after mitigating the zero-click exploit deployed in these attacks, WhatsApp notified roughly 90 Android users from over two dozen countries, including Italian journalists and activists, targeted with Paragon spyware to collect sensitive data and intercept their private communications. WhatsApp has patched a zero-click, zero-day vulnerability used to install Paragon's Graphite spyware following reports from security researchers at the University of Toronto's Citizen Lab. Starting from the domain of a single server within Paragon's infrastructure, the researchers developed multiple fingerprints that helped discover 150 digital certificates linked to dozens of IP addresses believed to be part of a dedicated command and control infrastructure. Graphite spyware infections can be detected on hacked Android devices with the help of a forensic artifact (dubbed BIGPRETZEL) that can be spotted by analyzing compromised devices' logs. "This infrastructure included cloud-based servers likely rented by Paragon and/or its customers, as well as servers likely hosted on the premises of Paragon and its government customers," the researchers said. In the next attack stage, the victim's device automatically processed the PDF, exploiting the now-patched zero-day vulnerability to load a Graphite spyware implant in WhatsApp. Unlike competitors like NSO Group, Paragon claims it only sells its surveillance tools to law enforcement and intelligence agencies in democratic countries that want to target dangerous criminals.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 19 Mar 2025 16:05:04 +0000