The Guardian view on hacking: a dangerous arms trade | Editorial

Cyberweapons are dangerous in themselves. Their proliferation makes them much more harmful

NSO Group, an Israeli firm that has risen to a billion-dollar valuation on the strength of the aggressive hacking tools it sells to authoritarian governments across the Arab world, is being sued by lawyers and activists who claim to be victims of its software. One of the lawyers involved in the suit was targeted some weeks ago by mysterious WhatsApp calls to his phone in the middle of the night. When he contacted technical experts, they discovered Pegasus 3, an aggressive virus that can apparently install itself on a phone without the victim taking any action at all. Once installed, it takes control of the device, recording conversations and video. It can destroy the evidence of its own arrival and existence, and control any files on the device. In effect, it turns a smartphone into the perfect spying device, which the victim will carry everywhere with them.

Similar programs are widely available to abusers of all sorts, which is one reason why many domestic violence shelters ban the use of smartphones. But the ones that can easily be bought require some action from the victim, usually a misplaced click, or else a few moments' access to their phone. The NSO malware targeting WhatsApp is different in that it could install itself without the victim doing anything at all. To discover and exploit the programming mistakes that opened this vulnerability would take years and cost millions of dollars. That is why it's assumed that only states, or state-backed actors, have the resources to produce them.