New report identifies six countries—Australia, Canada, Cyprus, Denmark, Israel, and Singapore—as potential clients of Paragon's Graphite spyware.
The findings contradict Paragon's claims of only selling to democratic nations and allies of the United States.
The spyware targets specific apps on Android phones, making detection more challenging.
WhatsApp previously alerted 90 users, including some in Italy, about being targeted with Paragon spyware.
Meta has confirmed that the indicator Citizen Lab refers to as "BIGPRETZEL" is associated with Paragon.

Situation Report

A new report by Citizen Lab, a group of academics and security researchers housed at the University of Toronto, has identified several countries as potential customers of Paragon Solutions, an Israeli spyware vendor.

The report alleges that Australia, Canada, Cyprus, Denmark, Israel, and Singapore are likely clients of Paragon's Graphite spyware.

This revelation challenges Paragon's long-standing claims of being a responsible vendor that only sells to democratic regimes, particularly the United States and its allies.

Technical Findings

Citizen Lab's investigation mapped Paragon's server infrastructure, uncovering IP addresses hosted at local telecom companies that they believe belong to Paragon's customers.

These findings were based on digital certificates, with initials matching the names of the countries where the servers are located.

A significant operational mistake by Paragon led to a digital certificate registered to Graphite, further strengthening the link between the company and the infrastructure.

The researchers also identified the Ontario Provincial Police (OPP) in Canada as a specific customer, given that one of the IP addresses for the suspected Canadian customer is linked directly to the OPP.

Paragon's Response

Paragon's executive chairman, John Fleming, stated that Citizen Lab provided limited and potentially inaccurate information.

However, he did not specify what was inaccurate or comment on whether the identified countries are indeed Paragon customers.

This response has done little to quell the controversy surrounding the company's clientele and practices.

Spyware Tactics and Challenges

Citizen Lab's research indicates that Paragon's Graphite spyware targets specific apps on Android phones, making it more difficult to detect compared to other spyware like NSO Group's Pegasus.

This tactic may give app makers more visibility into spyware operations, but it also poses challenges for forensic investigators trying to uncover evidence of a hack.

As Bill Marczak, a senior researcher at Citizen Lab, noted, collaboration and information sharing are crucial in unraveling even the toughest cases.