The report says NSO Group’s proprietary smartphone malware, Pegasus, harvests not only data stored on a device but also any information stored in the cloud, including a user’s location data, archived messages, and photos.
NSO Group, who previously installed the malware in Facebook’s WhatsApp, denied that it markets software capable of capturing data in the cloud. It’s unclear if it has developed the tools internally.
“The Financial Times got it wrong. NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure suggested in this article,” the company told CNBC in a statement.
“Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.”
NSO Group says it has a screening process for clients and only sells to responsible governments for facilitating terrorism or criminal investigations.
In May, WhatsApp said a flaw in the messenger service could allow NSO Group software to be downloaded to phones through a simple phone call and to monitor calls made through the service. The Facebook-owned application put a patch in place to fix the problem.
NSO Group is also known for its alleged role in assisting the FBI in opening the phone of the San Bernardino mass shooter after Apple fought an FBI request to do so.
After the malware is installed on a device, the new capability can copy authentication keys from services including Google Drive, Facebook Messenger and iCloud, according to the FT. A separate server then mimics the device, including its location.
In turn, the malware allows for open-ended access to the cloud data of those apps, without triggering additional security layers like “2-step verification or warning email on a target device,” the FT reported, citing an NSO sales document.
Amazon said it hasn’t found any evidence of the malware on its systems.
“We have no evidence that Amazon corporate systems, including customer accounts, have been accessed by the software product in question,” the company told CNBC. “We take customer privacy and security extremely seriously, and will continue to investigate and monitor the issue.”
Microsoft declined to comment on the FT story but said it has a protection service that can help protect users against these kinds of attacks. A Facebook spokesperson said the company is reviewing the claims in the report.
Apple and Google did not immediately return requests for comment.