In a new report, Citizen Lab researchers warned that sophisticated mobile spyware, dubbed Pegasus — made and sold by the Israeli company NSO Group — has been found not only on Androids and iPhones in countries with questionable human rights protections, but also in the U.S. The researchers believe this cross-border surveillance likely breaks the law in the U.S. and other countries.

Citizen Lab via Twitter

To become an NSO Pegasus infection victim, the operator has to trick a person into clicking a link that then delivers a chain of zero-day exploits and secretly installs Pegasus on the phone. After the malware installs on the target’s iPhone or Android phone without the user’s knowledge, it is then capable of spying via the phone’s camera and microphone. It can also steal text messages, passwords, photos, contact list, calendar events, and much more.

After Citizen Lab created fingerprints as a way to track Pegasus spyware, they identified 1,091 IP addresses between August 2016 and August 2018 that matched their fingerprint for NSO’s spyware. Using a technique dubbed Athena, the researchers clustered the IP addresses to come up with 36 groups that deployed the spyware against targets in 45 countries, including the U.S., U.K. and Canada.

Ten of the 36 different Pegasus operators appear to have infected victims’ phones across multiple countries for cross-border surveillance. The researchers noted that cross-border targeting and monitoring “is a relatively common practice.”

They added:

The scope of this activity suggests that government-exclusive spyware is widely used to conduct activities that may be illegal in the countries where the targets are located. For example, we have identified several possible Pegasus customers not linked to the United States, but with infections in US IP space. While some of these infections may reflect usage of out-of-country VPN or satellite Internet service by targets, it is possible that several countries may be actively violating United States law by penetrating devices located within the US.

NSO Pegasus infections were found in the following 45 countries: Algeria, Bahrain, Bangladesh, Brazil, Canada, Cote d’Ivoire, Egypt, France, Greece, India, Iraq, Israel, Jordan, Kazakhstan, Kenya, Kuwait, Kyrgyzstan, Latvia, Lebanon, Libya, Mexico, Morocco, the Netherlands, Oman, Pakistan, Palestine, Poland, Qatar, Rwanda, Saudi Arabia, Singapore, South Africa, Switzerland, Tajikistan, Thailand, Togo, Tunisia, Turkey, the UAE, Uganda, the United Kingdom, the United States, Uzbekistan, Yemen, and Zambia.

Although NSO denied the list of countries is accurate, many on the list have questionable human rights protections.

Granted, Citizen Lab researchers admitted that some of the geolocation findings could be inaccurate, as some Pegasus infection victims could be using VPNs or satellite connections that make them appear to be in a different country.

Citizen Lab suggested NSO is not doing its due diligence, as it has “a significant number of customers that maintain active infections in other countries, likely violating those countries laws. The global market for government exclusive spyware continues to grow, and as it does, more governments and security services with histories of abuse will acquire this technology. The expanding user base of spyware like Pegasus will enable a growing number of authoritarian states to pry into into the digital lives of their own citizens, but also into phones and computers in pockets and purses around the globe.”