wordpress blog stats
Connect with us

Hi, what are you looking for?

WhatsApp sues Israeli spyware company NSO Group for planting spyware in users’ devices


WhatsApp is suing Israeli spyware developer NSO Group for exploiting a since-then fixed vulnerability in WhatsApp that allowed attackers to plant spyware in users’ phones just by ringing their target’s device. WhatsApp filed a lawsuit in Northern District of California on October 29 (read it here), and Will Cathcart, the head of WhatsApp announced the suit on October 30, in a Washington Post op-ed.

What was the vulnerability? In May 2019, a vulnerability in WhatsApp was reported by the Financial Times which allowed attackers to inject spyware on to targeted users’ phones through WhatsApp calls. The malicious code could be transmitted even if the users did not answer the calls. The malicious code was developed by NSO.

Was it fixed? Yes, WhatsApp raced to fix it, and an update patching the vulnerability was released soon.

What is NSO? NSO is an Israeli private spyware company which is known for developing the spyware product Pegasus, which was used to exploit WhatsApp’s vulnerability. As per University of Toronto-based Citizen Lab, despite its claims that it sells spyware only to government clients, NSO’s technology has increasingly been used to target members of civil society.

  • It was incorporated in Israel in 2010 and had a marketing and sales arm in the US, WestBridge Technologies, Inc., as per WhatsApp’s lawsuit. Between 2014 and 2019, a San Francisco-based private equity firm acquired a controlling stake in the NSO Group. Now, however, it has been reacquired by its founders and management, and Q Cyber is listed as the only active director of the Group and its majority shareholder.

How does Pegasus work? As per WhatsApp’s lawsuit, Pegasus and its variants can be “remotely installed and enable the remote access and control of information” on Android, iOS and Blackberry mobile phones. To enable its remote installation, NSO abused vulnerabilities in operating systems and apps, and used malware delivery methods such as spearphishing messages with links to malicious code.

NSO marketed Pegasus’s undetectable remote installation feature amongst its clients, as per the WhatsApp submission. Pegasus could:

Advertisement. Scroll to continue reading.
  • Intercept communications sent to and from a device, including communications over iMessage, WhatsApp, Skype, Telegram, etc.
  • Remotely turn on phone’s camera and microphone to capture activity in phone’s vicinity
  • Use GPS functions to track a target’s location and movements.

How does WhatsApp know it is NSO? As per Cathcart’s op-ed, the servers and Internet-host services used by attackers have previously been associated with NSO. Also, some of the WhatsApp accounts used by attackers have links to NSO.

Did it undermine What’sApp’s end-to-end encryption? No, according to WhatsApp’s submission. End-to-end encryption works on data in transit, that is, when a message is sent and received. Once a message is received at a device and decrypted, it turns into data at rest. It is this decrypted data that Pegasus snooped in on. While end-to-end encryption remained safe, compromised devices meant that NSO could spy on all the messages that were sent.

Who was targeted? WhatsApp said that about 1,400 users were affected by this attack, and WhatsApp has written to them. Citizen Lab helped WhatsApp understand the impact of this attack on civil society. As per the Citizen Lab’s report, over 100 human rights defenders and journalists in at least 20 countries were targeted. It is unclear if there were any Indians affected by the attack. MediaNama has reached out to the Citizen Lab for clarification. 

What does WhatsApp say? According to the company,

  • NSO Group used WhatsApp’s servers and created fake accounts to target people, and send malicious code (Pegasus)
  • NSO mimicked WhatsApp app and legitimate network traffic to transmit malicious code to target devices over WhatsApp servers
  • WhatsApp has also cited breach of contract (WhatsApp’s Terms of Services) and trespass over the company’s servers as causes for lawsuit.
  • WhatsApp suffered damages more than $75,000 and is seeking punitive damages too.

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.


The accession to the Convention brings many advantages, but it could complicate the Brazilian stance at the BRICS and UN levels.


In light of the state's emerging digital healthcare apparatus, how does Clause 12 alter the consent and purpose limitation model?


The collective implication of leaving out ‘proportionality’ from Clause 12 is to provide very wide discretionary powers to the state.


The latest draft is also problematic for companies or service providers that have nothing to with children's data.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ