Cyber Crime
NSO Group Used Multiple Exploits, Including Zero-Click Attack, to Target WhatsApp Users, Reveals Meta Despite Lawsuit
Legal documents unsealed amid an ongoing dispute between Meta-owned WhatsApp and Israel-based NSO Group have exposed the latter’s repeated use of exploits to deploy Pegasus spyware through the messaging app, even after being sued for such actions.
The filings reveal that NSO Group continued targeting WhatsApp users with advanced methods, adapting to new defenses deployed by the app.
Background:
Notably, in May 2019, WhatsApp identified and blocked a cyberattack exploiting a zero-day vulnerability (CVE-2019-3568, CVSS score: 9.8), a critical flaw in the app’s voice call functionality, to secretly install Pegasus.
Despite WhatsApp’s lawsuit against NSO Group in October 2019, the spyware vendor allegedly developed another exploit, known as Erised, by May 2020. This zero-click attack, which required no user interaction, leveraged WhatsApp servers to infect target devices.
Erised was part of a broader suite of exploits, codenamed Hummingbird, that included vectors like Heaven and Eden (a codename for CVE-2019-3568). These methods were reportedly used to compromise up to tens of thousands of devices globally.
Exploiting WhatsApp Infrastructure
According to the court documents, NSO Group reverse-engineered WhatsApp’s code, creating a “WhatsApp Installation Server” to transmit malformed messages capable of delivering Pegasus. Exploits like Heaven redirected WhatsApp’s signaling servers to NSO-controlled relay servers, bypassing authentication safeguards.
When WhatsApp strengthened its server-side security by late 2018, NSO devised Eden by early 2019, eliminating the need for third-party relays and exploiting WhatsApp’s own infrastructure.
The filings also challenge NSO Group’s long-standing claim that its clients independently manage the spyware. Instead, it was revealed that NSO controls every step of Pegasus deployment and data retrieval. Customers reportedly only needed to input the target’s phone number and initiate the installation process, while NSO oversaw the operation remotely.
Pegasus and Ongoing Scrutiny
NSO Group defends Pegasus as a tool for combating terrorism and serious crimes, maintaining that its clients bear responsibility for its usage. However, the revelations underscore significant ethical and legal concerns, particularly regarding unauthorized surveillance and the scale of affected devices.
Apple, which previously filed a lawsuit against NSO Group, voluntarily dismissed the case in September 2024, citing risks of exposing sensitive security intelligence. Meanwhile, the tech giant has bolstered iPhone defenses, introducing features like Lockdown Mode to limit app functionality during potential attacks.
Additionally, a new inactivity reboot feature in beta versions of iOS 18.2 forces devices to reboot after 72 hours of inactivity, requiring a password to access the phone again.
Digital forensics firm Magnet Forensics, known for its GrayKey tool, acknowledged the implications of this feature, emphasizing the urgency of extracting data promptly to preserve forensic evidence.
These developments highlight the ongoing battle between tech companies and spyware vendors, underscoring the importance of robust security measures to protect user privacy.