According to the report, the NSO Group’s proprietary smartphone malware, Pegasus, harvests not only data stored on the device, but also any information stored in the cloud, including a user’s location data, archived messages and photos.
NSO Group, who previously installed malware in Facebook’s WhatsApp, denied that it markets software capable of capturing data in the cloud. It’s unclear if they have developed the tools internally.
“The Financial Times got it wrong. NSO’s products do not provide the type of collection capabilities and access to cloud applications, services, or infrastructure suggested in this article,” the company told CNBC in a statement.
“Increasingly sophisticated terrorists and criminals are taking advantage of encrypted technologies to plan and conceal their crimes, leaving intelligence and law enforcement agencies in the dark and putting public safety and national security at risk. NSO’s lawful interception products are designed to confront this challenge.”
NSO Group says it has a screening process for clients and only sells to responsible governments for facilitating terrorism or criminal investigations.
In May, WhatsApp said a flaw in the messenger service could allow NSO Group software to be downloaded on to phones through a simple phone call and monitor calls made through the service. The Facebook-owned application put a patch in place to fix the problem.
NSO Group is also known for its alleged role in assisting the FBI in opening the phone of the San Bernardino mass shooter after Apple fought an FBI request to do so.
After the malware is installed on a device, the new capability can copy authentication keys from services including Google Drive, Facebook Messenger and iCloud, according to the FT. A separate server then mimics the device, including its location.
In turn, the malware allows for open-ended access to the cloud data of those apps, without triggering additional security layers like “2-step verification or warning email on target device,” the FT reported, citing a NSO sales document.
Amazon said it hasn’t found any evidence of the malware on its systems.
“We have no evidence that Amazon corporate systems, including customer accounts, have been accessed by the software product in question,” the company told CNBC. “We take customer privacy and security extremely seriously, and will continue to investigate and monitor the issue.”
Microsoft, Facebook and Google did not immediately return requests for comment.