WhatsApp is suing Israeli spyware developer NSO Group for exploiting a since-then fixed vulnerability in WhatsApp that allowed attackers to plant spyware in users’ phones just by ringing their target’s device. WhatsApp filed a lawsuit in Northern District of California on October 29 (read it here), and Will Cathcart, the head of WhatsApp announced the suit on October 30, in a Washington Post op-ed.

What was the vulnerability? In May 2019, a vulnerability in WhatsApp was reported by the Financial Times which allowed attackers to inject spyware on to targeted users’ phones through WhatsApp calls. The malicious code could be transmitted even if the users did not answer the calls. The malicious code was developed by NSO.

Was it fixed? Yes, WhatsApp raced to fix it, and an update patching the vulnerability was released soon.

What is NSO? NSO is an Israeli private spyware company which is known for developing the spyware product Pegasus, which was used to exploit WhatsApp’s vulnerability. As per University of Toronto-based Citizen Lab, despite its claims that it sells spyware only to government clients, NSO’s technology has increasingly been used to target members of civil society.

  • It was incorporated in Israel in 2010 and had a marketing and sales arm in the US, WestBridge Technologies, Inc., as per WhatsApp’s lawsuit. Between 2014 and 2019, a San Francisco-based private equity firm acquired a controlling stake in the NSO Group. Now, however, it has been reacquired by its founders and management, and Q Cyber is listed as the only active director of the Group and its majority shareholder.

How does Pegasus work? As per WhatsApp’s lawsuit, Pegasus and its variants can be “remotely installed and enable the remote access and control of information” on Android, iOS and Blackberry mobile phones. To enable its remote installation, NSO abused vulnerabilities in operating systems and apps, and used malware delivery methods such as spearphishing messages with links to malicious code.

NSO marketed Pegasus’s undetectable remote installation feature amongst its clients, as per the WhatsApp submission. Pegasus could:

  • Intercept communications sent to and from a device, including communications over iMessage, WhatsApp, Skype, Telegram, etc.
  • Remotely turn on phone’s camera and microphone to capture activity in phone’s vicinity
  • Use GPS functions to track a target’s location and movements.

How does WhatsApp know it is NSO? As per Cathcart’s op-ed, the servers and Internet-host services used by attackers have previously been associated with NSO. Also, some of the WhatsApp accounts used by attackers have links to NSO.

Did it undermine What’sApp’s end-to-end encryption? No, according to WhatsApp’s submission. End-to-end encryption works on data in transit, that is, when a message is sent and received. Once a message is received at a device and decrypted, it turns into data at rest. It is this decrypted data that Pegasus snooped in on. While end-to-end encryption remained safe, compromised devices meant that NSO could spy on all the messages that were sent.

Who was targeted? WhatsApp said that about 1,400 users were affected by this attack, and WhatsApp has written to them. Citizen Lab helped WhatsApp understand the impact of this attack on civil society. As per the Citizen Lab’s report, over 100 human rights defenders and journalists in at least 20 countries were targeted. It is unclear if there were any Indians affected by the attack. MediaNama has reached out to the Citizen Lab for clarification. 

What does WhatsApp say? According to the company,

  • NSO Group used WhatsApp’s servers and created fake accounts to target people, and send malicious code (Pegasus)
  • NSO mimicked WhatsApp app and legitimate network traffic to transmit malicious code to target devices over WhatsApp servers
  • WhatsApp has also cited breach of contract (WhatsApp’s Terms of Services) and trespass over the company’s servers as causes for lawsuit.
  • WhatsApp suffered damages more than $75,000 and is seeking punitive damages too.