Facebook files lawsuit against spyware maker NSO Group over 2018 WhatsApp attack

  • Liam Tung (CSO Online)
  • 30 October, 2019 07:54

Facebook has filed a filed a lawsuit against spyware maker, NSO Group, over it allegedly exploiting a security flaw in WhatsApp that was disclosed in May to target human rights activists.

Facebook and its subsidiary WhatsApp filed the lawsuit today, alleging NSO Group — an Israel-based firm that sells the lawful intercept software marketed as Pegasus — had breached its terms of service. 

Facebook is also seeking an injunction to ban NSO employees from using WhatsApp as well as damages under the US Computer Fraud and Abuse Act. 

NSO Group first came to public attention in 2016 after researchers from Citizen Lab and mobile security firm Lookout reported that NSO’s Pegasus malware was used to spy on a human rights activist in the United Arab Emirates.

More recently, security researchers at Google found information implicating NSO Group in attacks that exploited a flaw affecting Google Pixel phones, as well as Android smartphones from Samsung, Huawei, LG and Xiaomi. 

WhatsApp today messaged around 1,400 users that it believes may have been impacted by the attack it detected in May. Based on new research performed by Citizen Lab, WhatsApp believes at least 100 citizens were targeted.

NSO’s WhatsApp attack was striking because it allowed Pegasus users to simply call a target and send specially crafted packets to the phone to exploit a flaw in the app and install spyware on the target device. Infections happened even if the victim didn’t answer the call.  

Facebook rushed out a patch in May after the attack was detected.  

According to Citizen Lab, the 100 targets included human rights workers and journalists from Africa, Asia, Europe, the Middle East, and North America. 

In February, European private equity firm Novalpina Capital acquired NSO Group, promising to bring the company “in full alignment with UN Guiding Principles on Business and Human Rights”. 

However, Citizen Lab said the 100 cases it identified occurred after Novalpina Capital acquired NSO Group. 

In the lawsuit, WhatsApp accuses NSO Group of reverse engineering the WhatsApp app, which allowed them to “emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers.”

“In order to compromise the Target Devices, [NSO Group] routed and caused to be routed malicious code through [WhatsApp’s] servers—including Signaling Servers and Relay Servers— concealed within part of the normal network protocol. 

"WhatsApp’s Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp’s Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use [WhatsApp’s] servers in this manner,” the complaint reads. 

The complaint says that the 1,400 targets included attorneys, journalists, human rights activists, political dissidents, diplomats, and senior foreign government officials.

The WhatsApp accounts were allegedly created by NSO Group employees using telephone numbers registered in Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands, according to the complaint. 

WhatsApp’s complaint also details how the attack was able to install the spyware just by calling the target. 

“Defendants used and caused to be used, without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. 

“Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.”

NSO Group responded to CSO Online's request for a response with a statement that disputed Facebook's allegations. NSO Group contends that its software is only used to combat serious crimes. 

Here's the full statement from NSO Group: 

"In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.

“The truth is that strongly encrypted platforms are often used by pedophile rings, drug kingpins and terrorists to shield their criminal activity. Without sophisticated technologies, the law enforcement agencies meant to keep us all safe face insurmountable hurdles. NSO’s technologies provide proportionate, lawful solutions to this issue.

“We consider any other use of our products than to prevent serious crime and terrorism a misuse, which is contractually prohibited. We take action if we detect any misuse. This technology is rooted in the protection of human rights – including the right to life, security and bodily integrity – and that’s why we have sought alignment with the U.N. Guiding Principles on Business and Human Rights, to make sure our products are respecting all fundamental human rights.”