NEW: We uncovered forensic evidence that shows prominent Moroccan journalist @OmarRADI was targeted with mobile network injection attacks using NSO Group's products as recently as January 2020. THREAD
https://www.amnesty.org/en/latest/research/2020/06/moroccan-journalist-targeted-with-network-injection-attacks-using-nso-groups-tools/

A fearless journalist, @OmarRADI has faced harassment and persecution. Last December he was detained because of a tweet, and later received a 4months suspended sentence. Check out his interview on @democracynow shortly before his trial. https://www.democracynow.org/2020/02/26/meet_omar_radi_the_moroccan_journalist
Our @AmnestyTech Security Lab conducted forensic analysis of Omar's phone and found traces of network injection attacks from early 2019 until as recently as end of January 2020. We found similar evidence in the attacks we uncovered in our previous report: https://www.amnesty.org/en/latest/research/2019/10/Morocco-Human-Rights-Defenders-Targeted-with-NSO-Groups-Spyware/
Using either a tactical rogue cell tower, such as the one @beckpeterson captured in this picture, or through equipment at the mobile operator's premises, Moroccan authorities monitored unencrypted traffic from Omar's phone and automatically injected redirects to exploit pages.
Suspicious of one of these redirects, @OmarRADI took a
ninja screenshot of his phone while it was being redirected to the malicious domain, and showing it was connected over 4G network.


If you are on Android, you can try searching in your browsing history for the known malicious domains used in Morocco for these network injection attacks:
In the Technical Appendix, we highlight some details on forensic traces we have found on the device. In one case we noticed that the injection occurred while Omar was using his Twitter app, and from within it opened a link preview.
Other network injection attempts resulted in the creation of IndexedDB-related files on Omar's phone. While we did not manage to recover any exploit, we believe this might be symptomatic either of the vulnerability NSO Group is using, or of the exploitation technique.
After a successful exploitation, we noticed the system files CrashReporter.plist and softwareupdateservicesd.plist modified, seemingly to disable upload of crash reports to Apple and to disable automated software updates.