Five Things We Learned from WhatsApp vs. NSO Group Spyware Litigation

On Tuesday, WhatsApp won a big victory over the NSO group, with ju-deciding to order the infamous spyware maker to pay more than $167 million in damages to the meta-owned company.

The ruling concluded a legal battle that lasted over five years. This began in October 2019 when WhatsApp accused NSO groups of hacking over 1,400 users by exploiting a vulnerability in the audio call feature of chat apps.

The verdict came after a week of ju trial featuring several testimonies, including NSO group CEO Yaron Shohat and WhatsApp employees who investigated in response to the case.

Even before the trial began, NSO groups were unearthing several revelations, including the abuse of Pegasus spyware, the locations of 10 government customers, 1,223 victims of spyware campaigns, and the names of three customers from the spyware maker.

TechCrunch reads the transcripts from the trial hearing and highlights the most interesting facts and revelations that have come up. I’ll update this post as I check more from my cache of over 1,000 pages.

Testimony explained how the WhatsApp attack worked

The zero-click attack meant that spyware didn’t require interaction from the target, and “it worked by making fake WhatsApp calls to the target,” WhatsApp lawyer Antonio Perez said during the trial. The lawyer explained that the NSO group has built what is called “WhatsApp Installation Server.” This is a special machine designed to mimic real messages across WhatsApp’s infrastructure and send malicious messages.

“When we received these messages trigger the user’s phone and reach out to the third server and download Pegasus spyware. All we needed to do is a phone number,” Perez said.

Tamil Gazneli, Vice President of Research and Development for NSO Group, testified that “any zero-click solution is an important milestone for Pegasus.”

The NSO Group has confirmed that it targeted US phone numbers as a test for the FBI

For years, NSO Group has argued that its spyware cannot be used against American phone numbers. In other words, it means a cell number that starts with a +1 country code.

In 2022, The New York Times first reported that the company “attacked” US mobile phones, but was part of the FBI’s testing.

NSO Group lawyer Joe Akrotirianakis confirmed this and said Pegasus’ “single exception” cannot target the number +1.

The FBI reportedly chose not to deploy Pegasus after its test.

How NSO Group Government Customers Use Pegasus

NSO CEO Shohat explained that Pegasus’ user interface for government customers does not provide the option to select the hacking method or technique to use for targets of interest, as “as long as the customer gets the intelligence they need, they don’t care which vectors they use.”

In other words, it is the back-end Pegasus system that chooses hacking technology known as exploits for use every time spyware targets individuals.

NSO Group headquarters shares the same building as Apple.

An interesting coincidence, the NSO Group’s headquarters in Herzliya, a suburb of Tel Aviv, Israel, is located in the same building as Apple, and its iPhone customers are also frequently targeted by NSO Pegasus Spyware. Shohat said the NSO occupy the top five floors, while Apple occupy the rest of the 14-storey building.

The fact that the NSO Group’s headquarters is openly advertised is somewhat interesting in its own right. Other companies that develop spyware and zero-days, like Barcelona-based Bariston, which closed in February, have been in coworking spaces, claiming they are somewhere on their official website.

The NSO group has confirmed that it continues to target WhatsApp users after the lawsuit was filed

After the SPYware attack, WhatsApp filed a lawsuit against the NSO group in November 2019. Despite aggressive legal challenges, SPYware makers continued to target users of chat apps.

Gazneli said that “Erised,” the codename for one of the versions of WhatsApp Zero-Click Vector, was in use from late 2019 to May 2020.