NSO targets Human Rights Defenders in Morocco using TrueCaller as a cover

truecaller text

Photo by VanveenJF on Unsplash

Last week, Amnesty International published a report revealing the Moroccan government appears to have been using spyware from Israeli company NSO Group against two human rights defenders, historian and columnist Maati Monjib and lawyer Abdessadak El Bouchattaoui.

In order for the government to gain control over their phones, Monjib and El Bouchattaoui had to click on a malicious link which would install NSO Group’s Pegasus spyware. NSO therefore has to craft malicious SMS messages that will look credible enough for their targets to click on.

Amnesty published a list of the text messages that were sent out. One was addressed to El Bouchattaoui, while Monjib received a total of 17. Two of the messages sent out to Monjib caught our attention: NSO Group was trying to pass as TrueCaller, an app designed to allow users to find out who is calling them.

 The text messages read:

“TruecaIIer à le plaisir de vous annoncer l'ajout d'une nouvelle fonctionnalité, consulter les noms des personnes qui ont cherché votre numéro durant une semaine”

[Truecaller has the pleasure to announce a new feature, you can now find out who has searched your number for a week.]

“Bonjour,Quelqu'un vous a recherché sur Truecaller.Découvrez de qui il s'agit.”

[Hello, someone looked you up on TrueCaller. Find out who it is.]

Both SMS messages included the malicious link that contained the NSO spyware, disguised as a shortened URL.

Earlier this year, Privacy International exposed the role of TrueCaller – an app that allows its users to tag the people who call them – in putting an investigative journalist at risk. And even more worryingly, this may all happen without the person’s knowledge, as TrueCaller does not warn people whose number is added on the database.

Crucially, when a user enters a number on TrueCaller, they are informed if the number they have entered is a TrueCaller user or not, as TrueCaller users have their own profiles. In other words, it would have been trivially easy for NSO to find out whether Monjib was a TrueCaller user or not.

While we do not know if Monjib was indeed a Truecaller user, we may assume NSO or any other actor is able to use this particular cover to appear all the more convincing because of this underlying mechanism.

This is therefore yet another case where Truecaller can evidently be very easily abused by malicious groups or individuals without requiring anything other than the phone number of a targeted person.

There is also increased attention on the effects of TrueCaller in other parts of the world: in 2017, a Nigerian citizen filed an application the company. The class action was aimed at representing himself and other “non-users of Truecaller.”As reported by TechCabal, the case is currently being considered by the Court of Appeal,

Earlier this year, we asked TrueCaller to improve their practices when it comes to non-users and while the company was willing to engage, they refused to take on board our suggestions. This latest example shows how the app can put users at risk as well. We think it is about time for TrueCaller to change.