WhatsApp sues Israel’s NSO Group over Spyware

WhatsApp, the globally popular messaging app owned by Facebook, filed suit Tuesday against Israeli technology firm NSO Group, alleging that NSO’s Pegasus technology used a vulnerability in WhatsApp’s code to deliver malicious code to cell phones, allowing NSO to have unauthorized access to those devices, in violation of WhatsApp’s terms of use and the Computer Fraud and Abuse Act. 

The complaint was accompanied by a Washington Post editorial written by Will Cathcart, head of WhatsApp. 

Reports emerged in May that WhatsApp had discovered a security flaw in its app, which allowed for sophisticated actors to install malware into a user’s phone without their knowledge using the call feature.  The user did not have to accept the call for the attack to be successful. WhatsApp issued an update soon after discovering the flaw that repaired the vulnerability.  At the time, WhatsApp described the attacker as “an advanced cyber actor.”

The complaint and accompanying statements from Cathcart reveal how WhatsApp traced the intrusions to Israel-based NSO Group.  “As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and Internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO,” Cathcart wrote.  “While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”

The complaint specified that the attack targeted “attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.”

NSO’s clientele includes Western and Middle Eastern intelligence agencies. While they deny involvement in the WhatsApp attacks, and NSO has been linked to investigations of Mexican journalists and teams investigating a mass kidnapping in Mexico.  The New York Times reported that NSO’s software had been used to spy on columnist Jamal Khashoggi by Saudi authorities.  

After WhatsApp closed the vulnerability in May, the complaint alleges that an NSO employee complained to them.  “Specifically, NSO Employee 1 stated, ‘You just closed our biggest remote for cellular . . . It’s on the news all over the world.’”

WhatsApp’s complaint was filed by Cooley in the Northern District of California.