As the number of politicians, activists and journalists hacked with spyware grew to include prime ministers and prominent dissidents in the European Union, the world’s biggest democratic club, the European Parliament in April started checking its members’ phones.
About 200 devices in, it hit its first positive.
A high-profile European Parliament deputy from Greece and leader of a major opposition party there was targeted with malicious spyware last year, an analysis of his phone by the Parliament’s technology experts revealed.
The politician, Nikos Androulakis, who became leader of Greece’s third-largest political party, the center-left PASOK-KINAL, at the end of last year, submitted his personal mobile device to the new spyware-detecting tech lab at the European Parliament in Brussels.
Late last month, the experts notified Androulakis that, in September 2021, weeks after declaring he would be a candidate to lead the opposition party back home, he had received a text message with a link that would have installed the spyware Predator, a clunkier version of the famous spyware Pegasus, on his phone, had he clicked on it.
“Let’s look at this seriously friend, there’s something to gain,” the text said, followed by the link.
Androulakis, not recognising the sender, did not take the bait, so his phone was not infected.
The discovery of the attempt, following cases in Spain, Hungary and Poland, compounded concerns that, even in a bloc that claims to be the world’s standard-bearer for democracy and the rule of law, such technology is being used for nefarious political purposes.
The European Commission, the EU executive branch, deferred the matter to national authorities, but the pressure on it to act has been mounting, not least because it has had its own staff targeted by spyware.
In a letter to a European Parliament deputy dated July 25 and seen by The New York Times, the European Commission said that its top justice official, Didier Reynders, and a number of his staff had received alerts from Apple in November that their phones had been compromised by spyware. The infection alert and the letter were first reported on by Reuters.
In a letter to Sophie in ’t Veld, a Dutch lawmaker who chairs the European Parliament’s special committee on spyware, the European Commission said its own experts had not been able to confirm the infection but had found “several indicators of compromise” and could not ascertain who was behind them.
“Governments are buying this stuff, and it’s very, very difficult for them to resist the temptation to use it for political purposes,” said in ’t Veld, a senior member of the Parliament.
“It’s too early to say what’s going on here, but it doesn’t look good, does it?” she said of Androulakis’ case. “It doesn’t matter if the phone wasn’t compromised; the political fact is that there was an attempt.”
The Greek government said in a statement Monday that authorities should investigate the case urgently. It has firmly denied using Predator.
The Predator software is marketed by a company called Cytrox, based in North Macedonia. The company’s website is defunct, and an email request for comment to the sole address listed elsewhere online, seemingly to its CEO, bounced back.
Meta and Google have documented the use of realistic-looking links, which mimic mainstream Greek websites, being used to infect personal mobile devices with the spyware. The link sent to Androulakis was from one of the fake websites recorded by Meta. The attempt took place soon after a similar effort to infect the phone of Thanasis Koukakis, a Greek investigative journalist, though a text message, succeeded after Koukakis clicked on the link.
The Greek government, in the summer of 2021, denied being behind the infection of Koukakis’ phone.
Androulakis, the Greek opposition leader, filed a lawsuit with Greece’s top court Monday to try to compel Greek authorities to investigate.
“Revealing who’s behind these appalling practices and who they are acting for isn’t a personal matter; it’s a democratic duty,” Androulakis said after filing the lawsuit in Athens.
Citizen Lab, the world’s foremost experts on spyware, based at the University of Toronto, said in a report on Predator that it was being used by the governments of Egypt, Greece, Indonesia, Madagascar and Saudi Arabia. The lab has said it is highly unlikely that companies or individuals have been able to buy the spyware, which costs hundreds of thousands of dollars.
The Predator spyware is a less sophisticated version of Pegasus, a software that was developed by Israeli company NSO Group, ostensibly to help governments catch criminals and terrorists. The software allows users to monitor every aspect of a target’s phone — including calls, messages, photos and video. Predator requires the target to click a link; Pegasus does not.
In November, the Biden administration blacklisted NSO Group, saying it had knowingly supplied spyware that has been used by foreign governments to target dissidents, human rights activists, journalists and others. Around the same time, Apple sued NSO to block it from infecting iPhones; Meta (then Facebook) also sued NSO in 2019 over attempts to infect users through WhatsApp.
Last year, a forensic investigation by Citizen Lab, Amnesty International and an international consortium of media organizations revealed that several governments, including members of the European Union, deployed Pegasus to spy on scores of their own citizens.
The European Parliament began investigating the claims and during a visit to Israel discovered that at least 14 EU governments had purchased Pegasus, with two of these contracts terminated by the NSO group. Chaim Gelfand, general counsel and chief compliance officer of NSO, said at least one of those terminations was because the government was using the software for “purposes other than fighting serious crime and terrorism.”
“Every customer we sell to, we do due diligence in advance in order to assess the rule of law in that country,” Gelfand told the committee last month.
Citizens in at least six EU nations have been targeted by the spyware, according to a recent study commissioned by European lawmakers. Among those hacked were Spain’s prime minister, Pedro Sánchez, and the country’s defense minister. Others reportedly targeted include Charles Michel, prime minister of Belgium at the time; Reynders, the EU top justice official; and President Emmanuel Macron of France.
In Hungary, authorities targeted at least 39 people, including journalists, with the Pegasus software, according to investigative news outlet Direkt36. An official investigation concluded that the Hungarian government acted lawfully.
The Polish government confirmed in January that it had acquired Pegasus but denied accusations that it was using it to spy on government critics, despite reports from local media about scores of hacks.
In Spain, a Citizen Lab report, confirmed by forensic research by Amnesty International, revealed that several Catalan public figures were targeted with surveillance software, mostly after the 2017 unsuccessful referendum for the Catalan independence.