WhatsApp achieved a significant victory against NSO Group this week, with a jury ordering the spyware maker to pay over $167 million in damages to Meta, the company’s parent organization. This ruling marked the end of a legal battle that began in 2019 when WhatsApp accused NSO Group of hacking over 1,400 users by exploiting a vulnerability in the app’s audio-calling feature.
The courtroom drama unfolded over a week, featuring testimonies from NSO Group’s CEO Yaron Shohat and WhatsApp employees involved in responding to the breach. Prior to the trial, revelations emerged, including NSO Group cutting ties with 10 government clients for misusing its Pegasus spyware, the identification of 1,223 victims, and the countries utilizing the spyware, such as Mexico, Saudi Arabia, and Uzbekistan.
During the trial, it was revealed that the WhatsApp attack was executed through a zero-click method, meaning the spyware required no action from the target. NSO Group’s “WhatsApp Installation Server” was utilized to send fake messages through the app’s infrastructure, prompting the user’s device to download the Pegasus spyware without any interaction.
In a surprising turn of events, it was disclosed that NSO Group tested its spyware on an American phone number as a demonstration for the FBI, despite claiming that its software couldn’t target US numbers. The FBI ultimately decided against deploying Pegasus following the test.
NSO Group’s CEO explained that the company’s government clients have no direct control over the hacking techniques employed by Pegasus. The system autonomously selects the exploit to use against each target based on the backend algorithms.
Interestingly, NSO Group’s headquarters in Herzliya, Israel, coincidentally shares a building with Apple. The top five floors house NSO Group, while Apple occupies the rest. This proximity is noteworthy, considering that Apple’s iPhone users are frequent targets of NSO’s Pegasus spyware.
Despite facing legal action from WhatsApp, NSO Group continued to target users of the messaging app. Various versions of the zero-click attack, including “Erised,” “Eden,” and “Heaven,” collectively known as “Hummingbird,” were in operation even after the lawsuit was filed.
This latest development in the ongoing saga between WhatsApp and NSO Group sheds light on the intricate workings of spyware technology and the legal battles that ensue. As the case unfolds, more insights into the world of cybersecurity and surveillance are expected to emerge.
