WhatsApp won a legal case against NSO Group in a U.S. court over exploiting a vulnerability to deliver Pegasus spyware. Will Cathcart of WhatsApp called the ruling a major privacy victory, emphasizing accountability for spyware firms after a five-year legal battle.
Court documents state that on October 29, 2019, plaintiffs filed this lawsuit, alleging that the defendants used WhatsApp to target approximately 1,400 mobile phones and devices to infect them with the surveillance software.
“defendants’ relevant software products, collectively referred to as “Pegasus,” allow defendants’ clients to use a modified version of the Whatsapp application – referred to as the “Whatsapp Installation Server,” or “WIS. The WIS, among other things, allows defendants’ clients to send “cipher” files with “installation vectors” that ultimately allow the clients to surveil target users.” reads the court document. published “As mentioned above, plaintiffs allege that defendants’ conduct was a violation of the CFAA, the CDAFA, and a breach of contract.”
The U.S. court ruled that NSO Group repeatedly failed to produce key evidence, including Pegasus source code, and imposed sanctions, reserving harsher penalties for later.
WhatsApp stated NSO only provided AWS server code, not the full codebase. Judge Hamilton criticized NSO’s non-compliance, citing concerns about transparency.
The court found NSO Group liable for breaching WhatsApp’s terms of service by using the platform for malicious purposes. WhatsApp hailed the decision as a victory for privacy.
The surveillance firm exploited a zero-day vulnerability, tracked as CVE-2019-3568 (CVSS score of 9.8), in the voice calling feature of the popular instant messaging app.
NSO Group continued using WhatsApp exploits, including spyware called “Erised,” even after being sued for violating anti-hacking laws. The experts detected three exploits, called “Heaven,” “Eden,” and “Erised”, that were employed in over 1,400 attacks attributed to NSO Group.
“Even after WhatsApp detected and blocked the exploit described in the Complaint in May 2019, NSO admits that it developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.2 NSO continued to use and make Erised available to customers even after this litigation had been filed, until changes to WhatsApp blocked its access sometime after May 2020. NSO’s witnesses have refused to answer whether it developed further WhatsApp-based Malware Vectors thereafter.” continues the court filing. “All of these facts are undisputed, drawn principally from the corporate representative testimony of NSO’s own witnesses, which is binding on Defendants.”
In May 2019, Facebook patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.
At the time, The Financial Times reported that the WhatsApp zero-day was exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.
The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenal, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android).
In March 2024, Meta won the litigation against the Israeli spyware vendor, a U.S. Judge ordered the surveillance firm to hand over the source code for its Pegasus spyware and other products to the social network giant.
NSO Group has been requested to provide details regarding the complete functionality of the pertinent spyware, covering the period one year before the alleged attack through one year after the alleged attack (i.e., from April 29, 2018, to May 10, 2020).
Court documents filed in November revealed that NSO Group had minimal control over customers’ use of its spyware, contradicting prior claims by the Israeli firm.
Contrary to NSO’s claims, the filing suggests the spyware vendor operated its Pegasus system, with customers only needing to provide a target number. NSO disputes these allegations, asserting its clients solely operate the system.
“[NSO Group] stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.” said Gil Lanier, vice president of global communications for the Israeli firm.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NSO Group)