Lawsuit Reveals NSO’s Pegasus Spyware Infected Meta’s WhatsApp

Legal filings in Meta’s lawsuit against the Israeli company NSO Group reveal that NSO’s Pegasus spyware continued to infect Meta’s WhatsApp platform even as WhatsApp kept adapting with new defenses, according to an article by Ravie Lakshmanan in The Hacker News.

One attack, “a zero-click exploit that could compromise a victim’s phone without any interaction from the victim,” was neutralized sometime after May 2020. Remarkably,  Lakshmanan points out that the timeline indicates that Pegasus was employed even after WhatsApp filed its lawsuit against NSO Group in October 2019.

A 2019 article from The Hacker News, written some months before the lawsuit was filed and on the occasion of an early reported Pegasus hack of WhatsApp, describes how the product functions.

The customer activates it merely by placing a WhatsApp call. Pegasus then goes to work even if the call isn’t answered. The customer gains access to huge amounts of data from the victim’s phone as a result, including “text messages, emails, WhatsApp messages, contact details, calls record, location, microphone, and camera—all without the victims’ knowledge.”

According to recently unsealed court documents in the case, NSO Group admitted that it extracted and reverse-engineered WhatsApp’s code. It then designed its own version, which would send “malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service.”

NSO Group has maintained that its product is meant to combat serious crime and terrorism and that its clients manage the system and the intelligence it gathers. However, according to Lakshmanan, when reading the court documents, they indicate that the NSO Group and not the customer operated the spyware.