The Israeli company behind WhatsApp hack earlier this May has developed new technology that can clandestinely steal a user’s data from Apple, Google, Facebook, Amazon, and Microsoft.

According to The Financial Times — which reported the development — NSO Group’s Pegasus malware “has now evolved to capture the much greater trove of information stored beyond the phone in the cloud, such as a full history of a target’s location data, archived messages or photo.”

Hard Fork!

Hard Fork?

Hard Fork

Upon installation on the target’s phone, the new capability works by copying the login credentials of various services like Facebook Messenger, Google Cloud, iCloud, and others, and then using a separate server to mimic the phone, including its location.

This server then syncs all the information, including messages, photos, and location history, from the ‘connected’ device, and relays them back to the surveillance operators.

The report further states that the number of people whose cloud accounts may have been targeted by this latest technique is not yet known, although it appears NSO’s parent company Q-Cyber pitched the service to the government of Uganda.

NSO Group is known for working with governments to install Pegasus spyware. It features advanced capabilities to jailbreak or root an infected mobile device, turn on the phone’s microphone and camera, scan emails and messages, and collect all sorts of sensitive information.

In May, the FT discovered a vulnerability in WhatsApp’s audio call feature that allowed attackers to inject iPhones and Androids with Pegasus. This prompted the Facebook-owned messaging service to issue a server-side update to patch the exploit.

The company maintains that its software is only sold to responsible governments to help foil terrorist attacks and crimes. But Pegasus has been found to be misused to track human rights activists and journalists around the world.

The report further states that while NSO Group denied building hacking or mass-surveillance tools for cloud services, it did not specifically deny that it had developed the new surveillance feature. Some of the big tech companies mentioned in the report are now said to be investigating the claims at their end.

The new revelations come at a time when cloud adoption is accelerating at a rapid pace, with security and privacy emerging a top priority for major service providers. Risks from data loss and leakage remains a huge barrier to wider cloud adoption.

Cybersecurity firm Check Point’s 2019 Cloud Security Report early this week cited unauthorized cloud access and account hijacking as some of the major cloud vulnerabilities, stressing the need for stronger authentication mechanisms to safeguard users against such stealth attacks.

With passwordless authentication gaining momentum in recent years, it’s possible more systems will incorporate such secure standards in the future.

Update on July 20, 3:40 AM IST: A Google spokesperson gave us the following comment:

We’ve found no evidence of access to Google accounts or systems, and we’re continuing our investigation. We automatically protect users from security threats and we encourage them to use tools like our Security Checkup, 2-step verification, and our Advanced Protection Program, if they believe they may be at especially high risk of attack.

Read next: Instagram will kindly let you know you’ve F’ed up before banning you