WhatsApp has alleged that an Israeli spyware company was "deeply involved" in the hacking of 1,400 WhatsApp users, including journalists, government officials, and dissidents. In new court filings, the messaging app owned by Facebook claims that NSO Group, the spyware company, used servers located in the U.S. and has responsibility for human rights violations in India and Rwanda. NSO Group has always said that after it produces the spyware, it is then purchased by governments and other clients to track down criminals. This means that no NSO Group employee is aware of how the software is used.
The software, called Pegasus, hacked targets' phones after the NSO Group gained "unauthorized access" to WhatsApp's servers, the court filing claims. This was achieved, it is claimed, by reverse-engineering WhatsApp to be able to avoid security features and manipulate the exact way calls are made. Pegasus was then able to be installed on a device with a single WhatsApp call to the user, whether it was answered or not.
WhatsApp claims that NSO Group-controlled servers, not government servers, were used for this "unauthorized access." The lawsuit was filed in 2019 but has been hit by complicated delays, with one side blaming the other for unconventional practices.
The lawsuit is the first of its kind and court filings are starting to be released, allowing more details to be revealed. "NSO used a network of computers to monitor and update Pegasus after it was implanted on users' devices," the court filings from WhatsApp read "These NSO-controlled computers served as the nerve center through which NSO controlled its customers' operation and use of Pegasus." WhatsApp offers end-to-end encryption of conversations so it was said to be difficult to hack but the company discovered the vulnerability allowing Pegasus' access in May 2019. It updated the app to provide security against this type of hack.
WhatsApp reportedly disclosed 12 vulnerabilities last year, according to the Financial Times, seven of which were deemed "critical." NSO Group is disputing the claims and says that it has no knowledge of what its clients do with the software.
"Our products are used to stop terrorism, curb violent crime, and save lives," an NSO Group spokesperson told Newsweek in a statement. "NSO Group does not operate the Pegasus software for its clients, nor can it be used against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States. Our past statements about our business, and the extent of our interaction with our government intelligence and law enforcement agency customers, are accurate." It is expected that NSO Group will be responding formally to the claims in the coming days.
