Following the death of an investigative journalist known for exploring the world of Mexican drug cartels, a colleague was targeted with Pegasus, a surveillance solution apparently sold to governments only for use in criminal cases.
Javier Valdez Cárdenas, the founder of Mexican publication Río Doce which is applauded for investigations into drug cartels, was gunned down close to his office in May 2017.
According to a report from Citizen Lab, two days after the journalist was murdered, Río Doce's director and a colleague, Ismael Bojórquez, began to receive unusual messages on his handset which, upon further investigation, turned out to be attempts at infecting his mobile device with Pegasus spyware.
Israeli firm NSO Group's Pegasus is one of the most sophisticated forms of mobile spyware known to exist today.
The malware, developed for both Android and iOS devices, is able to exfiltrate a vast array of information from an infected device, including key logs, text messages, emails, images, audio -- such as live phone calls -- as well as information from applications including Skype, Facebook, Twitter, and WhatsApp.
Pegasus has been linked to state attempts to monitor activists in the Middle East and it is believed that the Mexican government uses the malware to monitor individuals of interest. Journalists, activists, political opposition, lawyers, health practitioners, and human rights defenders are only some of the known victims of the malware.
Citizen Lab previously found that Pegasus is being used in 45 countries, including the United States, Mexico, Canada, the United Kingdom, Brazil, South Africa, and Turkey.
Pegasus may be advertised as "lawful intercept" software designed for use only by governments in order to combat criminals and terrorism, but Citizen Labs' findings suggest that cross-border surveillance may also be at play and the software is being abused worldwide for political purposes.
In the Río Doce director's case, several of the infection attempts, sent in message form, attempted to entice the would-be victim to click on a link to obtain information on the killer of Cárdenas.
Another member of the publication, Director of Information Andrés Villarreal, also began to receive the same phishing messages after the original infection attempts failed.
"The message was, in fact, a carefully crafted attempt to infect his phone with Pegasus spyware," the organization says. "Had Villarreal clicked on the link, his phone would have been turned into a digital spy in his pocket. He would go on to receive several more infection attempts in the ensuing days."
The URLs embedded in the messages have been linked to known NSO Group exploit domains and RECKLESS-1's past attempts to target civilians.
Thankfully, neither journalist fell for the phishing attempt.
Citizen Labs says the attacker behind the messages, dubbed RECKLESS-1, is an operator linked to the Mexican government. In total, 24 individuals have been identified as targets of the surveillance software in the country.
Despite evidence of widespread abuse, Pegasus remains in operation in Mexico and NSO Group does not appear to be overly concerned about how the firm's product is being used to target individuals for political purposes, rather than criminal investigations.
The Mexican Office of the Attorney General (Procurador General de la República (PGR)) is the only publicly-known customer of NGO Group in the country.
"While there is very little publicly-available information on NSO Group's oversight practices, the continued use of Pegasus in Mexico suggests that their current procedures are problematic both substantively and in their implementation and application," the report added.
NSO Group has previously told the publication that Pegasus is designed for use purely "for the investigation and prevention of crime and terrorism," but considering Mexico's poor track record for freedom of the press and human rights, the procedures in place to select its buyers may be falling short.
Reports suggest that the Israeli firm has also recently offered Saudi Arabia access to surveillance software, a few months before a political purge took place. This is the same country in which Jamal Khashoggi, a well-known journalist, and critic of the Saudi government, was murdered after entering the country's consulate in Istanbul.