A notorious spyware product that's been sold to governments may have infected smartphones across 45 countries, including the US, according to new research.

The Pegasus spyware strain, which can infect iOS and Android devices, may be in use by 36 government customers, says Citizen Lab, a watchdog group at the University of Toronto. At least 10 of those customers appear to be spying on those outside their own countries.

For instance, Citizen Lab uncovered evidence that indicates one suspected Pegasus operator was trying to infect victims in both Mexico and the US. Another appeared to be targeting smartphone devices in the Middle East, the UK, and Canada.

The watchdog group tracked the activities based on prior investigations into the Pegasus spyware. Using that data, Citizen Lab created a digital "fingerprint" that helped it scan for and identify which servers on the internet are distributing the notorious product to unsuspecting victims.

In the past, Pegasus infected phones by convincing the smartphone owner to open a specially crafted web link. On iPhones, the spyware download itself to the device—without the user's permission—by exploiting previously unknown vulnerabilities in iOS. Once installed, the spyware could steal personal data, record live calls, track location, and secretly snap photos from the handset's camera.

Citizen Lab is alarmed by the ongoing spread of Pegasus because it's been allegedly used to target human rights activists, lawyers, politicians, and journalists. By spying on targets in the US, the government customers operating Pegasus may also be violating United States law. The group's findings also show that the number of servers behind the spyware has almost tripled from two years ago.

"The global market for government exclusive spyware continues to grow, and as it does, more governments and security services with histories of abuse will acquire this technology," the group said.

However, the Israeli company behind Pegasus, NSO Group, dismisses Citizen Lab's findings. "NSO does not sell its products in many of the countries listed," the company said in an email to Citizen Lab. "As an example, the product is specifically designed to not operate in the USA."

NSO says its products have "saved the lives of thousands of people" by preventing terrorist attacks and helping investigators nab criminals. "We are proud of our products and our employees, whose work makes the world a safer place," it said.

Further Reading

Security Reviews