WhatsApp sued Israeli surveillance firm NSO Group and its parent Q Cyber Technologies

WhatsApp sued Israeli surveillance firm NSO Group, accusing it of using a flaw in its messaging service to conduct cyberespionage on journalists and activists.

WhatsApp sued the Israeli surveillance firm NSO Group accusing it of carrying out malicious attacks against its users.

In May, Facebook has patched a critical zero-day vulnerability in WhatsApp, tracked as CVE-2019-3568, that has been exploited to remotely install spyware on phones by calling the targeted device.

WhatsApp did not name the threat actor exploiting the CVE-2019-3568, it described the attackers as an “advanced cyber actor” that targeted “a select number of users.”

“A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.” reads the description provided by Facebook.

The WhatsApp zero-day vulnerability is a buffer overflow issue that affects the WhatsApp VOIP stack. The flaw could be exploited by a remote attacker to execute arbitrary code by sending specially crafted SRTCP packets to the targeted mobile device.

At the time, The Financial Times reported that the WhatsApp zero-day has been exploited by threat actors to deliver the spyware developed by surveillance firm NSO Group.

The surveillance software developed by NSO Group was used by government organizations worldwide to spy on human rights groups, activists, journalists, lawyers, and dissidents. Security experts have detected and analyzed some of the tools in its arsenals, such as the popular Pegasus spyware (for iOS) and Chrysaor (for Android). 

In September 2018, a report published by Citizen Lab revealed that the NSO Pegasus spyware was used against targets across 45 countries worldwide.

In November 2019, Snowden warned of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.

In October 2019, NSO Group ‘s surveillance spyware made the headlines again, this time the malware was used to spy on 2 rights activists in Morocco according to Amnesty International.

WhatsApp head Will Cathcart announced that his company has evidence that NSO Group was involved in attacks against its users.

“NSO Group claims they responsibly serve governments, but we found more than 100 human rights defenders and journalists targeted in an attack last May. This abuse must be stopped,” Cathcart said on Twitter.

The lawsuit filed by WhatsApp in U.S. District Court in San Francisco sees Facebook accusing NSO Group to have violated WhatsApp’s terms of services by abusing its servers to spread the surveillance malware.

According to the lawsuit, the NSO Group has approximately infected 1,400 mobile devices between April and May 2019.

“Between in and around April 2019 and May 2019, Defendants used WhatsApp servers,located in the United States and elsewhere, to send malware to approximately 1,400 mobile phonesand devices (“Target Devices”). Defendants’ malware was designed to infect the Target Devices forthe purpose of conducting surveillance of specific WhatsApp users (“Target Users”).” reads the lawsuit. “Unable to breakWhatsApp’s end-to-end encryption, Defendants developed their malware in order to access messagesand other communications after they were decrypted on Target Devices. Defendants’ actions werenot authorized by Plaintiffs and were in violation of WhatsApp’s Terms of Service. In May 2019,Plaintiffs detected and stopped Defendants’ unauthorized access and abuse of the WhatsApp Serviceand computers “

According to the document, at least 100 members of civil society were targeted with the spyware.

“Working with research experts at the Citizen Lab, we believe this attack targeted at least 100 members of civil society, which is an unmistakable pattern of abuse. This number may grow higher as more victims come forward.” reads a post published by WhatsApp. “This attack was developed to access messages after they were decrypted on an infected device, abusing in-app vulnerabilities and the operating systems that power our mobile phones,” Facebook-owned WhatsApp said in a blog post.

The attackers created WhatsApp accounts to send bait messages to target devices. The attackers created the accounts using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands.

WhatsApp notified the abuse to all the impacted 1,400 users.

“We sent a special WhatsApp message to approximately 1,400 users that we have reason to believe were impacted by this attack to directly inform them about what happened.” continues the post.

The complaint filed by WhatsApp in U.S. court also attributes the attack to another surveillance firm, Q Cyber Technologies, that is a parent company of the NSO Group.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WhatsApp, NSO Group)

[adrotate banner=”5″]

[adrotate banner=”13″]