Published on: November 21, 2024
Recent court filings in Meta’s lawsuit against Israeli spyware vendor NSO Group have revealed shocking details about how NSO exploited WhatsApp’s vulnerabilities to deliver its Pegasus spyware.
Despite Meta suing the company in October 2019, NSO continued to develop and deploy zero-click exploits, including one called “Erised,” which remained active until at least May 2020. These attacks allowed Pegasus to infect devices without user interaction, compromising the privacy of thousands globally.
The documents expose NSO’s methods, including reverse-engineering WhatsApp’s code to create exploits like “Heaven” and “Eden.” The spyware leveraged WhatsApp’s servers to redirect targeted devices to NSO-controlled systems, bypassing security defenses. When WhatsApp implemented server-side updates in 2018, NSO adapted, creating new tools to maintain access.
“They developed those exploits by extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp, and designing and using their own ‘WhatsApp Installation Server’ (or ‘WIS’) to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service,” the released documents stated.
One exploit tracked as CVE-2019-3568 targeted 1,400 devices in May 2019. After WhatsApp strengthened its defenses, NSO pivoted to “Eden,” a more sophisticated attack using WhatsApp’s own relay servers.
Contrary to NSO’s claims that its spyware is client-operated to combat terrorism and crime, the filings show that NSO controlled the entire process. Clients provided a phone number, and NSO managed the installation, surveillance, and data retrieval. Victims of Pegasus include journalists, activists, and government officials, sparking global concerns about misuse.
The implications extend beyond this lawsuit. Apple, which has enhanced iOS security with tools like Lockdown Mode, recently dropped its own lawsuit against NSO, citing concerns about revealing sensitive threat intelligence. Meanwhile, WhatsApp continues to strengthen defenses, but the persistence of NSO’s spyware highlights the challenges of protecting users from commercial surveillance.