Written by Sean Lyngaas

An infamous brand of mobile spyware may be operating in 45 countries as part of a sprawling footprint that could enable human rights abuses, according to a new report.

The Pegasus spyware made by Israeli surveillance company NSO Group correlated with more than a thousand IP addresses over a two year-study conducted by The Citizen Lab, a research and development organization at the University of Toronto. The Pegasus spyware attempts to lure targets into clinking on links and then delivers zero-day exploits to breach the defenses of iPhones and Android phones.

Several of the countries where the researchers detected Pegasus have poor human rights records, such as Bahrain, Kazakhstan, and Saudi Arabia. “Our findings paint a bleak picture of the human rights risks of NSO’s global proliferation,” the report states. At least 10 operators of the spyware “appear to be actively engaged in cross-border surveillance,” according to Citizen Lab, pointing to the geopolitical realities of nation-state spying.

An NSO Group representative could not be reached for comment on the Citizen Lab report. A company spokesperson told Motherboard that NSO Group does not operate in many of the countries listed in the report. The company says its product is used by law enforcement agencies to investigate and prevent crime and terror.

Citizen Lab counters that its results inevitably include non-NSO Group customers because there appear to be Pegasus users operating in multiple countries. The research also notes that the use of location-spoofing tools like VPNs “may skew our geolocation results.”

The surveillance company gained notoriety in 2016 after Citizen Lab produced evidence that the United Arab Emirates government had used Pegasus to spy on human rights activist Ahmed Mansoor, who has since been sentenced to ten years in prison for social media posts.

NSO Group’s surveillance tools are highly coveted. A former company employee has been charged with stealing and trying to sell NSO Group’s proprietary code on the dark web for $50 million in cryptocurrency, the Israeli justice ministry said in July.

NSO Group is not the only spyware company to apparently rub shoulders with autocratic regimes. A report in May from nonprofit Access Now documented how malware from another vendor, FinFisher, was used to target critics of the Turkish government.