NSO Group told European lawmakers this week that "under 50" customers use its notorious Pegasus spyware, though these customers include "more than five" European Union member states.
The surveillance-ware maker's General Counsel Chaim Gelfand refused to answer specific questions about the company's customers during a European Parliament committee meeting on Thursday.
Instead, he frequently repeated the company line that NSO exclusively sells its spyware to government agencies — not private companies or individuals — and only "for the purpose of preventing and investigating terrorism and other serious crimes."
Generally speaking, a target selected by an NSO customer has their phone or other device infected with hidden spyware via the exploitation of one or more security vulnerabilities. Once installed, this software can secretly snoop on that person's calls, messages, and other activities. The code is installed by, say, sending a booby-trapped message to the victim that when received and automatically processed by their device, causes the spyware to silently deploy and run.
These tools are "licensed solely to law enforcement and government agencies," Gelfand said, adding these are "limited in number, and contracts are carefully contracted to only permit legitimate use."