New Delhi: Technology developed and deployed by political operatives working to further the interests of India’s ruling party appears to have given them the ability to add script to the URLs of published news stories at mainstream platforms in order to redirect unsuspecting readers to fake news and also hack into and take over WhatsApp accounts, potentially exposing millions of Indians to the risk of identity theft.

Since the aim of the exercise is to use inactive hacked accounts to seed disinformation and fake news, vulnerable WhatsApp users also face potential legal liability in the event that criminal cases are filed relating to objectionable content simulated as emanating from their phone numbers.

Last week, The Wire published the first part of its 20-month-long investigation into the secret ‘Tek Fog’ app being used by cyber operatives to manipulate social media trends in favour of the Bharatiya Janata Party, and target critics of the Narendra Modi government.

We explained the four features that make Tek Fog so unique and dangerous – (1) hijacking Twitter and Facebook trends, (2) phishing and capturing inactive WhatsApp accounts, (3) creating and deploying a highly granular database of citizens for targeted harassment, and (4) the possibility that its use is part of a political-corporate nexus linking the BJP to large tech players and platforms. Since the publication of our story, two of the companies which The Wire‘s source had named as having links to the use of Tek Fog – Persistent Systems and Sharechat – have issued statements denying any knowledge of the app.

In Part 2, The Wire explains the technology by which Tek Fog is used to hijack a WhatsApp account, and the ease with which the processes involved may be scalable.

On April 30, 2020, while interviewing the original whistleblower – associated with the Twitter account @Aarthisharma08 – about various features of Tek Fog, they claimed the app gave the cyber troops using it the ability to access WhatsApp accounts of individual citizens as part of an inbuilt feature. The source explained that operators could remotely access ‘inactive’ WhatsApp accounts added to the app’s contact list and use the hijacked phone number to send targeted messages to their ‘frequently contacted’ or ‘all contacts’ lists. An ‘inactive’ WhatsApp account means that the actual user of the number wasn’t using the app – either because they had uninstalled the app or because they had reset their phone.

The whistleblower also claimed that the contact list of the compromised account is synced to a cloud-based political database in the app, making numbers on the list available as potential targets in future disinformation, harassment or trolling campaigns.

They went on to claim that this process of hacking WhatsApp accounts is a multi-step process. Targeted accounts that are ‘active’ are first sent a WhatsApp message in the form of a media file (image or video) from an unknown contact. They claimed that this initial file contains spyware – a piece of software that performs malicious activities, typically related to surveillance. After the media file has been downloaded by the target, the spyware is activated, making the phone vulnerable.

Once the initial phishing file has been delivered, the activity status of the targeted account can be monitored via the Tek Fog app. When the account becomes ‘inactive’, it can then be seen by the operatives in an auto-complete search in the app. Immediately after being listed in the search results, the operatives are able to access the targeted WhatsApp account remotely, without the owner’s consent or knowledge of the exploit. The choice to access only inactive WhatsApp accounts appears to be a practical – and not a technological – constraint since sending fake messages from an active account could raise suspicions.

Seeking to verify the claim of account hijacking, The Wire asked the whistleblower to perform a live demonstration of this exploit by hijacking a WhatsApp account belonging to a member of our team and sending a custom message to his ‘frequently contacted’ contacts. Asked whether they require one of the phone numbers of the authors to execute the exploit, the whistleblower said that the WhatsApp account details of one of the authors was already available in the app.

They went on to explain that this author’s account has been in Tek Fog since January 30, 2020, soon after he received a WhatsApp message from an unknown number and downloaded a gallery of images onto his personal device. Coincidentally, on January 25, 2020, a few days before his account had been compromised, the same author had independently released a research report (subsequently published by Firstpost) uncovering the large tweet volumes, complex hierarchies and coordinated attacks carried out by bot-accounts belonging to the BJP IT Cell on Twitter.

As the phone number of one of our WhatsApp accounts was already with the whistleblower, the team sent them a custom text message at 02:07 am IST (GMT+5:30) on the same day. The message said: “This is a ping from 123.212.789.1 from Devesh”. We also uninstalled WhatsApp from the device whose number was already in the Tek Fog database.

The Wire team asked the source to screen-record their device executing the ‘hijacking’ procedure and share that video with us.

At 02:19 am IST, shortly after being provided with our custom text message, all five ‘frequently contacted’ users – including one that belonged to another author working on the investigation – received the same message as if it had come from our number, confirming that this particular feature of the app was functional at the time of analysis. Six minutes later, the source shared a screen recording of the Tek Fog app that showed them executing the task.

Since Devesh’s number was already in the Tek Fog contact list, the video begins with the whistleblower selecting the name ‘Devesh’ as it appears in the Tek Fog search.

Screenshot of the custom text message sent to the ‘frequently contacted’ users of the targeted WhatsApp account. (Source: The Wire)

This method of hacking devices is fairly common – and is reminiscent of the Trojan horse story. In fact, the Pegasus spyware used a similar method before the NSO Group developed a zero-click exploit.

One of the authors of this story learned from a source on background that what was likely happening is that by downloading a media file, spyware is activated which then steals a unique token or key that is private to a user’s WhatsApp account. After Tek Fog has access to this private key, it can then check the activity status of the account and remotely send messages to the target’s contacts via the same APIs that WhatsApp uses to deliver messages. The background source also highlighted that the process of sending messages to ‘frequently contacted’ or ‘all contacts’ in this exploit is similar to how WhatsApp structures its data and API on their servers.

That said, at the time of publication, The Wire was unable to independently verify the precise mechanism through which Tek Fog is able to compromise WhatsApp accounts. More data would be required to come to a conclusion on this.

The source also demonstrated another advanced feature of Tek Fog: the ability to modify existing news articles to create fake news by changing keywords (‘BJP’ to ‘Congress’ or ‘Left-wing’ to ‘Right-wing’, for example) and to generate political junk news with a fictitious narrative by modifying the link of a published article.

For example, could lead to a legitimate article, but the app could modify the link to and lead to a spurious article. A casual reader may not notice because most of the link is still the same (more so if the fake page is also styled like The Wire website).

As evidence of this capability, the whistleblower gave The Wire team a link (generated by a URL shortener) that redirected to a manipulated version of an article (authored by one of the authors of this article) for The Print. The generated link had an embedded code in the query string, that led to a webpage which resembled a page on the original publication – but the source had edited the headline and parts of the text to make the author appear to say something they didn’t say. The link was deactivated before this article was published but we are providing the screenshots below.

The capabilities shown in this demo were similar to those that Max Woolf, a data scientist at Buzzfeed, had outlined in 2019.

In his article, Woolf says that an AI model called GPT-2 can be used to generate coherent, text-like messages. (GPT-2 was built by OpenAI, a US-based AI research company, one of whose advisers is Elon Musk. OpenAI released an updated model called GPT-3 in May 2020.)

But another company, Salesforce, has a ‘better’ AI model called CTRL. It takes this ability further by being able to generate long-form articles. Woolf has shown how this model can extract ‘a surprising amount of metadata’ from a series of random news articles – you just need to share the links – including detailed information about their underlying content, like their style and tone. CTRL can then be tweaked to use these insights to generate junk news, and upload it to a link that is similar to the original but with a few words changed – all on its own.

The generated article is very realistic, and follows the style and the tone of the original, giving readers almost no reason to suspect that they’re reading a fake article.

The use of such sophisticated AI models helps reduce the workload of app operators. Instead, the operators can focus on disseminating junk news links through the BJP’s network of WhatsApp groups – with Tasker’s help, as we shall see below.

Apart from hijacking inactive WhatsApp accounts – those owned by influencers or otherwise – and making fake news out of real news stories, the whistleblower claimed that the Tek Fog app could also be used to automate and stream the BJP’s political messaging – mostly abuse and propaganda – by generating inauthentic accounts in bulk. App operatives then use these second-generation accounts to disseminate targeted narratives through the vast network of political chat groups that the party operates on the platform.

According to a TIME investigation into the use of WhatsApp in the 2019 elections, apart from political campaigning, these chat groups frequently contain and disseminate false information and hateful rhetoric, much of which comes from forwarded messages. These groups also reportedly share messages targeting religious and ethnic minorities, posing a threat in a country that has had multiple incidents of mob violence driven by false information circulated through the app.

The Wire built on primary testimony provided by the original whistleblower and on Persistent System’s Sharepoint screenshots, shared by another independent source currently employed by the company. We could verify that Tek Fog uses an Android app called Tasker to schedule, trigger and disseminate messages to individual users – or even tens of thousands of hyper-localised political WhatsApp groups created and managed by the ruling party.

Persistent System’s Sharepoint screenshot shows the use of Tasker in the active development of the Tek Fog app. (Source: The Wire)

Tasker, developed by a developer named João Dias, is one of the most popular automation apps available in the Android app store. It allows users to create several automated tasks that trigger specific actions – like opening the camera or calling a contact – or invoke functions on other installed apps, like sending a message through Facebook Messenger or playing music on YouTube.

With Tasker, the process of opening or closing an app during automation can happen in the background, without requiring active supervision, giving app operators the freedom to do other things. Developers can also extend the functionalities of Tasker by creating third-party plugins to use with the app, thus allowing others to customise the app to suit their particular usage of it.

The source explained that the people operating Tek Fog give Tasker a link. The link goes to a database that contains instructions to trigger different ‘actions’ – like opening WhatsApp and sending a message.

Screenshot of Tasker showing a sample task to automate messages on WhatsApp. (Source: Medium/archive)

In 2019, HuffPost reported on a thriving industry of private companies developing apps that could automate WhatsApp messages on behalf of the government. In the present system, the process of automation has taken a giant leap with the integration of open-source artificial intelligence techniques as well.

Unlike open-broadcast platforms like Twitter, WhatsApp provides a sense of privacy and intimacy to its users – numbering in the hundreds of millions in India alone. But political actors appear to be exploiting these very features to flood the platform with mis- and disinformation, manipulated media and junk news – and escaping scrutiny from platform owners and law enforcement.

The revelation of WhatsApp hijacking, with its ease and sophistication, combined with technologies to automate, learn and scale, poses a significant risk to the integrity of the Indian information ecosystem and the privacy of India’s citizens. The same features also provide unprecedented insights into the technological arsenal of online operatives promoting the BJP and their ability to weaponise WhatsApp to dominate public and political discourse in the world’s largest democracy.

In Part 3 of our investigation, we shall see how Tek Fog has been deployed to engineer political narratives and target women journalists, especially those critical of the Narendra Modi government.

Note: If you are working with Persistent Systems, Sharechat or the BJYM and are using/ have used or know more about the Tek Fog app and the broader operation underpinning its use, please contact us at [email protected]. We will ensure your anonymity and privacy at all costs.

Ayushman Kaul is an independent security and intelligence analyst covering South Asia.

Devesh Kumar is an independent data analyst and Senior Data Visualizer with The Wire.

Featured illustration: Shreya Bhatia (@oddbench)