WhatsApp is suing Israeli spyware developer NSO Group for exploiting a since-then fixed vulnerability in WhatsApp that allowed attackers to plant spyware in users’ phones just by ringing their target’s device. WhatsApp filed a lawsuit in Northern District of California on October 29 (read it here), and Will Cathcart, the head of WhatsApp announced the suit on October 30, in a Washington Post op-ed. What was the vulnerability? In May 2019, a vulnerability in WhatsApp was reported by the Financial Times which allowed attackers to inject spyware on to targeted users’ phones through WhatsApp calls. The malicious code could be transmitted even if the users did not answer the calls. The malicious code was developed by NSO. Was it fixed? Yes, WhatsApp raced to fix it, and an update patching the vulnerability was released soon. What is NSO? NSO is an Israeli private spyware company which is known for developing the spyware product Pegasus, which was used to exploit WhatsApp’s vulnerability. As per University of Toronto-based Citizen Lab, despite its claims that it sells spyware only to government clients, NSO’s technology has increasingly been used to target members of civil society. It was incorporated in Israel in 2010 and had a marketing and sales arm in the US, WestBridge Technologies, Inc., as per WhatsApp’s lawsuit. Between 2014 and 2019, a San Francisco-based private equity firm acquired a controlling stake in the NSO Group. Now, however, it has been reacquired by its founders and management, and Q Cyber is listed as…
