Advertisement

NSO Group used WhatsApp exploits after the messaging app sued the spyware developer, court filing says

The filing also suggests that customers have a minimal role in operating the spyware, in an apparent contradiction of past NSO Group claims.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
(Getty Images)

NSO Group developed malware that used WhatsApp to infect victims even after WhatsApp sued the leading spyware vendor over allegations that it violated federal and state anti-hacking laws, according to a court filing by the messaging app and its parent company Meta on Thursday.

It was one of a bevy of revelations and new details found in the filing that expound on how NSO Group operates and the scope of its work. WhatsApp is seeking a summary judgment from the U.S. District Court for the Northern District of California and award of damages.

After detecting NSO Group’s malicious messages in May 2019, WhatsApp made changes to disable the exploit called “Eden,” according to the filing. NSO Group “then developed a new Malware Vector called ‘Erised’ that continued using WhatsApp as an installation vector through at least May 2020 — even after this litigation had been filed — until changes to WhatsApp eventually disabled that Malware Vector, too.”

Those were two of three WhatsApp-centric exploits mentioned in the filing, with the third known as “Heaven” and disabled by WhatsApp in 2018. “NSO admits Eden was responsible for the attacks described in the Complaint” — 1,400 in all, as WhatsApp had claimed and NSO Group admitted, according to the complaint. Additionally, “NSO’s Head of R&D has confirmed that those vectors worked precisely as alleged by Plaintiffs.”

Advertisement

The filing also suggests that NSO Group operates its spyware, contradicting past claims from the Israeli firm.

“NSO’s customers’ role is minimal. The customer only needed to enter the target device’s number and ‘press Install, and Pegasus will install the agent on the device remotely without any engagement,’” the filing reads, quoting from information revealed during the discovery process. “In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus. NSO admits the actual process for installing Pegasus through WhatsApp was ‘a matter for NSO and the system to take care of, not a matter for customers to operate.’” 

Gil Lanier, vice president of global communications for NSO Group, said the company “stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.” The emailed statement said that the company is “confident that these claims, like many others in the past, will be proven wrong in court, and we look forward to the opportunity to do so.”

The five-year-old lawsuit is one of many filed in an attempt to use courts to battle spyware companies, and one of the most successful so far.

“The evidence unveiled [Thursday] shows exactly how NSO’s operations violated U.S. law and launched their cyber-attacks against journalists, human rights activists and civil society,” a WhatsApp spokesperson said via email. “We are going to continue working to hold NSO accountable and protect our users.”

Advertisement

This story was updated Nov. 15, 2024, to correct the date through which NSO Group used WhatsApp as an installation vector.

Matt Bracken

Written by Matt Bracken

Matt Bracken is the managing editor of FedScoop and CyberScoop, overseeing coverage of federal government technology policy and cybersecurity. Before joining Scoop News Group in 2023, Matt was a senior editor at Morning Consult, leading data-driven coverage of tech, finance, health and energy. He previously worked in various editorial roles at The Baltimore Sun and the Arizona Daily Star. You can reach him at matt.bracken@scoopnewsgroup.com.

Latest Podcasts