Commercial Spyware, Once a Military Tool, Is Now Routinely Deployed Against Journalists

From the Editor’s Desk

Governments worldwide are systematically deploying commercial spyware against journalists, and the business of building and selling such tools has grown into a global industry operating with little regulation or accountability, according to a study by the International Federation of Journalists, or IFJ, a Brussels-based organisation representing journalists globally.

The report, prepared by digital security expert Samar Al Halal and co-funded by the European Union, found that sophisticated surveillance software once confined to military intelligence agencies has been repackaged and sold to governments as a legitimate tool for intercepting the communications of criminals and security threats. The report found that governments have routinely turned these tools against journalists instead.

Spyware

Three platforms dominate the market – Pegasus, Predator and Graphite.

Pegasus, made by Israel’s NSO Group, can silently break into both iPhones and Android phones without the target doing anything at all. It does this by exploiting flaws in phone software that the manufacturer has not yet discovered or fixed. 

Predator, made by the European Intellexa alliance, works in much the same way.

Graphite is made by Paragon Solutions, an Israeli company founded in 2019. Its founders include former Israeli Prime Minister Ehud Barak and Ehud Schneorson, a former head of Unit 8200, the Israeli military’s eavesdropping and code-breaking division. Graphite focuses on pulling data out of messaging applications such as WhatsApp.

In some cases, spyware reaches a journalist’s phone through the internet connection itself. In 2023, the Citizen Lab, a research group at the University of Toronto that investigates digital attacks on journalists and activists, found that a device hidden inside Vodafone Egypt’s mobile network was intercepting journalists’ web traffic and silently installing Predator on their phones, with no click required.

In 2021, Pegasus was found on the phones of at least 180 journalists across more than 20 countries, even as NSO Group maintained that it sells only to vetted government clients, claiming 60 military, intelligence, and law enforcement agencies in 40 countries. Predator has been sold to at least 16 countries across three continents. Graphite’s spread has been documented more recently. In January 2025, Meta reported that around 90 users, including journalists and activists, had been told they were targeted through WhatsApp. That same year, Citizen Lab confirmed Graphite infections on journalists’ phones in Italy, and it emerged that Paragon had secured a $2 million contract with U.S. Immigration and Customs Enforcement, the first confirmed instance of a U.S. law enforcement agency buying such spyware.

The Reporters Without Borders Press Freedom Index 2025 listed surveillance as one of the top three threats to journalists’ safety worldwide. Most journalists do not learn they have been targeted until a specialist laboratory examines their phone and confirms an infection, often months after it happened, by which time much of the evidence has disappeared.

Other Methods

Spyware planted on a phone is only one of the ways journalists are watched. The report documented several others that leave no trace on the device at all.

Mobile networks worldwide rely on an ageing call-routing system called Signaling System 7, or SS7, built decades ago when security was not a priority. Anyone who gains access to SS7 can intercept a journalist’s calls, read their text messages, and track their movements in real time, all without ever touching the journalist’s phone.

An IMSI catcher is a portable device, small enough to fit in a van, that pretends to be a mobile phone tower. Nearby phones automatically connect to it, allowing the operator to identify whose phones are present, track their location, and in some cases listen in on calls. The report says these devices have been deployed at protests specifically to identify and eavesdrop on journalists. In Belarus, authorities used them during the 2020 protests to log the identities of journalists in the crowd, intercepted their calls, and then broadcast those calls on state television to publicly discredit them.

Surveillance does not always require breaking into a phone remotely. Sometimes the device simply needs to be physically taken away. A 2024 Amnesty International investigation found that Serbian authorities used a commercially sold phone-unlocking device called Cellebrite to access confiscated phones belonging to journalists and activists, then secretly installed spyware called NoviSpy before handing the phones back.

Country Cases

The report documented a lethal convergence of surveillance and military action.

Reuters journalist Issam Abdallah was killed by an Israeli tank strike on October 13, 2023, while covering the Lebanon-Israel border. Independent investigations confirmed that Israeli drones, an Apache helicopter, and five ground surveillance towers had the journalists’ position in continuous view for more than 75 minutes before the strike. A subsequent investigation by the UN Interim Force in Lebanon, or UNIFIL, found the tank fired two 120mm rounds at a group of clearly identifiable journalists, in violation of international law.

In Mexico, Citizen Lab documented at least 76 malicious text messages sent to reporters, lawyers, and a minor, timed to coincide with investigations into government corruption. In El Salvador in 2020 and 2021, a joint forensic investigation confirmed 35 Pegasus-infected individuals across 37 devices, the majority of them journalists.

Surveillance in India and South Asia

In December 2023, Amnesty International’s Security Lab reported that high-profile journalists in India had been repeatedly targeted with Pegasus, according to the report. Examination of their phones found evidence of a zero-click attack, meaning the spyware had been installed with no action required from the journalists, not even clicking a link. The infections were found to have taken place between August and October 2023.

This was not the first time Indian journalists had been warned. In 2019, WhatsApp notified a number of them that they may have been targeted through a flaw in the app’s voice-calling feature, which NSO Group had exploited before it was fixed. The report says this pattern of targeting tends to intensify around elections and sensitive investigations.

The Indian government has neither confirmed nor denied buying Pegasus, notes the report. The matter has been raised before the Supreme Court and in parliament. Researchers and civil society groups have also raised questions about India’s past use of FinFisher, an older government-grade spyware tool that has since been shut down.

The report also notes that police in India have been found building charts mapping journalists’ contacts and networks, using data taken from seized phones.

On Pakistan, the report says the country combines two approaches: tapping directly into phone networks and using commercial spyware. In 2015, civil society groups took the government to the Lahore High Court, challenging its alleged use of FinFisher after technical evidence confirmed the software had been operating inside the country. Citizen Lab’s 2018 global mapping identified Pegasus operators active across 45 countries, with Pakistan among the locations of likely interest, though firm, case-by-case proof remains limited in what is publicly available. Journalists in Pakistan, the report says, routinely assume their calls and messages are being monitored, and regularly encounter attempts to steal their passwords or trick them into revealing sensitive information.

No other South Asian country, including Bangladesh, Sri Lanka, Nepal, or Afghanistan, received any mention in the report. The geographic focus of the study’s primary case studies was India, Pakistan, Kenya, Italy, Serbia, Brazil, Mexico, El Salvador, Lebanon, and Jordan, with additional material from Israel/Palestine and Russia/Belarus.

The report found that journalists in poorer countries face a particular disadvantage when it comes to getting help. They often have to send their phones abroad or wait for foreign experts to examine them, and many find out about the attack only after their sources have already been exposed.

The report calls for an immediate halt to the export, sale and use of invasive spyware until governments put human rights protections in place, and for any future use of such tools to require approval from a court, with the results reported openly to parliament or the public.

You have just read a News Briefing, written by us to cut through the noise and present a single story for the day that matters to you. We encourage you to read the News Briefing each day. Our objective is to help you become not just an informed citizen, but an engagedand responsible one.