DEEPDIVE: I SPY

DEEPDIVE: I SPY is an investigative feature by David Delima published by Mumbai Mirror on 2 November 2019. The article examines one of the biggest cyber surveillance scandals to hit India, deconstructing the WhatsApp-Pegasus intrusion that affected 1,400 users across 20 countries, including at least 20 Indians, with expert analysis from Sunil Abraham on government involvement in contracting legal hacking solutions and the critical need for surveillance reform.

Contents

  1. Article Details
  2. Full Text
  3. Context and Background
  4. External Link

Article Details

📰 Published in:
Mumbai Mirror
✍️ Author:
David Delima
📅 Date:
2 November 2019
📄 Type:
Investigative feature / Deep dive
📰 Newspaper Link:
Read Online

Full Text

█ DEEPDIVE

Issue: WhatsApp Cyber Intrusion

1,400 affected in 20 countries

As one of the biggest cyber snoopgates to hit India unravels, we deconstruct some myths and fears surrounding the dark horse of cyber intrusion that is sure to have far-reaching consequences on our idea of privacy

How many spied on?

1,400 across 20 countries. At least 20 Indians (* Number yet to be verified)

When?

Between April 29 and May 10

Who were targeted?

High-ranking government and military officials, opposition leaders, lawyers, activists

Pegasus 2.0 – The dark horse

Earlier, the virus was sent via an SMS or a WhatsApp message as a link. Clicking on the link immediately infected the user's device. The updated version of Pegasus, however, is even more powerful – a missed call is enough for the malicious code to get into your phone.

Can you uninstall it?

There is no known way to uninstall Pegasus. Even a factory reset won't help, according to reports. But now that WhatsApp has patched the security issue, buying a new device and changing all your passwords may be the only way to get rid of it.

NSO is a private player using capabilities that Israelis have. There is no Israeli govt involvement here, everyone knows this is not about the state of Israel

— Zeev Elkin, Israeli security cabinet minister

Why is this important, especially for WhatsApp chats?

WhatsApp chats are touted to be protected by the strongest encryption methods known today. This means that any message shared between two users is heavily protected while it travels from one phone to another and no third party can view the encoded messages, not even WhatsApp.

Pegasus, however, once installed on the user's phone, renders this protection completely useless as once the messages are decoded and stored on the user's phone, the malware can upload the conversations and attachments to the monitoring server silently in the background.

What has been done so far?

International firms and their misdeeds are a little difficult to rectify due to global norms. On its part though, WhatsApp has filed a lawsuit against NSO Group in a California federal court alleging that the company violated its terms of service and "developed their malware in order to access messages and other communications after they were decrypted on target devices".

NSO has disputed the allegations stating that they will 'vigorously fight them.'

What is India's stand?

This one is a little difficult to explain. NSO says they sell their software exclusively to authorised government agencies. And even though the Indian government has outright denied its involvement, the fact remains that the software has reportedly been used to target journalists and civil activists that have dared to take on the government and/or question its policies. Several of the targeted users who have come forward to report the hack are associated with the ongoing Bhima Koregaon case.

Instead, pointing the gun back at the messaging giant, the Information and Technology ministry has sought a detailed response from WhatsApp by November 4.

Why disclose now?

Questions are being raised on whether the disclosure was a rearguard action by WhatsApp to prevent the government from bringing measures on traceability and accountability. Recently, the Centre sought three months' time from the Supreme Court to formulate rules to curb misuse of social media in the country. Earlier too the messaging giant has faced flak from the Indian government for being misused for spreading misinformation that led to incidents of mob lynching.

Our highest priority is the privacy and security of WhatsApp users. We agree with the government of India it's critical that together we do all we can to protect users from hackers attempting to weaken security.

— WhatsApp spokesperson

Should you be concerned?

If you haven't received a message from WhatsApp informing you of the hack, then no.

As the software has been developed to target individual users to glean important information, it is unlikely that the average user will be targeted. WhatsApp has also since patched the security hole that enabled the hacks.

If you have reason to suspect you were targeted, you must contact Citizen Lab or another cybersecurity agency, and avoid using your device for any sensitive communication.

Was I affected?

Since the latest versions of spyware like Pegasus are designed to leave no trail on a device, it is almost impossible to detect them. The only way one would know is through an official notification from the developer.

What to do if you have been infected

If you suspect you have been infected, you should immediately change all your passwords including emails, cloud-storage accounts among others. As the spyware records every detail including login IDs and passwords, merely changing your device wont suffice.

If the BJP has engaged Israeli agencies to snoop into phones of journalists, lawyers, activists and politicians, it is a gross violation of rights and a scandal with grave ramifications on national security

— Priyanka Gandhi, Congress

How to stay virus-free

  • Always pause before you click on a link even if sent by a friend.
  • If you receive a link from an unknown sender, ask yourself if you were expecting such a message
  • Use strong passwords
  • Keep all your apps updated
  • Avoid apps with dubious reputations or those developed by firms that don't share information about themselves

A FEW GOOD APPS

Not all applications are out to get you, there are some that you can use to protect yourself.

  • For Android phones, Lens Cap allows you to turn off your device's camera for any or all apps. You can even add a shortcut to your phone's home screen to enable and disable your camera with a single tap.
  • For iPhones, go to Settings, choose Screen Time, tap Content and Privacy Restrictions, then choose Allowed Apps and slide the Camera option to the off position. Now, your iPhone camera will remain disabled for any app, until you enable it again.
  • And when in doubt, simply follow the IT mantra - turn off your device and/or leave it in another room if you feel the conversation you are about to have is sensitive.

Expert speak

► This clearly means that some entities within the Indian govt are, in all likelihood, contracting providers of legal hacking solutions – Sunil Abraham, Director, CIS

► This shows just how important it is to have surveillance reform which includes tabling of the Data Protection Bill in parliament, and that evidence through such means is not admissible in any court – Vrinda Bhandari, Supreme Court advocate

Back to Top ⇧

Context and Background

The feature appeared in November 2019 following WhatsApp’s disclosure that Israeli surveillance firm NSO Group had exploited a vulnerability in its calling feature to install Pegasus spyware on approximately 1,400 devices across 20 countries. The attack represented a watershed moment for digital privacy in India, revealing sophisticated state-level surveillance capabilities deployed against civil society activists, journalists and lawyers.

Unlike earlier Pegasus attacks requiring user interaction with malicious links, the 2019 variant employed “zero-click” exploitation through missed WhatsApp calls, rendering even cautious users vulnerable. The malware’s ability to bypass end-to-end encryption by capturing data after decryption on the target device exposed fundamental limitations in securing communications against state-sponsored surveillance.

Sunil Abraham’s assessment that “entities within the Indian govt are, in all likelihood, contracting providers of legal hacking solutions” challenged official denials while acknowledging the reality of government procurement of commercial spyware. His call for surveillance reform and data protection legislation reflected concern that India lacked legal frameworks to authorize, constrain or provide oversight for such capabilities. The parallel demand from Supreme Court advocate Vrinda Bhandari that evidence obtained through such means be inadmissible addressed the constitutional implications of secret surveillance targeting those engaged in lawful dissent.

The scandal intersected with ongoing tensions between the Indian government and WhatsApp over traceability requirements that would undermine end-to-end encryption. Several targeted individuals were associated with the Bhima Koregaon case, where activists and lawyers were arrested on terrorism charges that rights groups characterized as politically motivated. The timing of WhatsApp’s disclosure raised questions about whether the company was pre-empting government pressure by publicly demonstrating the risks of weakening encryption safeguards.

The article’s practical security advice acknowledged the limitations of technical defenses against state-level adversaries. Recommendations to replace infected devices rather than attempt cleanup reflected the sophistication of modern spyware, while suggestions to physically isolate devices during sensitive conversations implicitly accepted that software-only protection was insufficient against well-resourced attackers.

📄 This page was created on 21 December 2025. You can view its history on GitHub, preview the fileTip: Press Alt+Shift+G, or inspect the .