Five things we learned from WhatsApp vs. NSO Group spyware lawsuit

On Tuesday, WhatsApp scored a large triumph against NSO Group erstwhile a assemblage ordered the infamous spyware shaper to wage much than $167 cardinal successful damages to the Meta-owned company.

The ruling concluded a ineligible conflict spanning much than 5 years, which started successful October 2019 erstwhile WhatsApp accused NSO Group of hacking much than 1,400 of its users by taking vantage of a vulnerability successful the chat app’s audio-calling functionality.

The verdict came aft a week-long assemblage proceedings that featured respective testimonies, including NSO Group’s CEO Yaron Shohat and WhatsApp employees who responded and investigated the incident. 

Even earlier the proceedings began, the lawsuit had unearthed respective revelations, including that NSO Group had chopped disconnected 10 of its authorities customers for abusing its Pegasus spyware, the locations of 1,223 of the victims of the spyware campaign, and the names of 3 of the spyware maker’s customers: Mexico, Saudi Arabia, and Uzbekistan.

TechCrunch work the transcripts of the trial’s hearings and is highlighting the astir absorbing facts and revelations that came out. We volition update this station arsenic we larn much from the cache of much than 1,000 pages. 

Testimony described however the WhatsApp onslaught worked

The zero-click attack, which means the spyware required nary enactment from the target, “worked by placing a fake WhatsApp telephone telephone to the target,” arsenic WhatsApp’s lawyer Antonio Perez said during the trial. The lawyer explained that NSO Group had built what it called the “WhatsApp Installation Server,” a peculiar instrumentality designed to nonstop malicious messages crossed WhatsApp’s infrastructure mimicking existent messages. 

“Once received, those messages would trigger the user’s telephone to scope retired to a 3rd server and download the Pegasus spyware. The lone happening they needed to marque this hap was the telephone number,” said Perez. 

NSO Group’s probe and improvement vice president Tamir Gazneli testified that “any zero-click solution whatsoever is simply a important milestone for Pegasus.”

NSO Group confirms it targeted an American telephone fig arsenic a trial for the FBI

For years, NSO Group has claimed that its spyware cannot beryllium utilized against American telephone numbers, meaning immoderate compartment fig that starts with the +1 state code.

In 2022, The New York Times archetypal reported that the institution did “attack” a U.S. telephone but it was portion of a trial for the FBI. 

NSO Group’s lawyer Joe Akrotirianakis confirmed this, saying the “single exception” to Pegasus not being capable to people +1 numbers “was a specially configured mentation of Pegasus to beryllium utilized successful objection to imaginable U.S. authorities customers.”

The FBI reportedly chose not to deploy Pegasus pursuing its test.

How NSO Group’s authorities customers usage Pegasus

NSO’s CEO Shohat explained that Pegasus’ idiosyncratic interface for its authorities customers does not supply an enactment to take which hacking method oregon method to usage against the targets they are funny in, “because customers don’t attraction which vector they use, arsenic agelong arsenic they get the quality they need.” 

In different words, it’s the Pegasus strategy successful the backend that picks retired which hacking technology, known arsenic an exploit, to usage each clip the spyware targets an individual.

In a comic coincidence, NSO Group’s headquarters successful Herzliya, a suburb of Tel Aviv successful Israel, is successful the aforesaid gathering as Apple, whose iPhone customers are besides often targeted by NSO’s Pegasus spyware. Shohat said NSO occupies the apical 5 floors and Apple occupies the remainder of the 14-floor building.

The information that NSO Group’s office are openly advertised is somewhat absorbing connected its own. Other companies that make spyware oregon zero-days similar the Barcelona-based Variston, which shuttered successful February, was located successful a co-working abstraction portion claiming connected its authoritative website to beryllium located determination else. 

NSO Group admitted that it kept targeting WhatsApp users aft the suit was filed

Following the spyware attack, WhatsApp filed its suit against NSO Group successful November 2019. Despite the progressive ineligible challenge, the spyware shaper kept targeting the chat app’s users, according to NSO Group’s probe and improvement vice president Tamir Gazneli. 

Gazneli said that “Erised,” the codename for 1 of the versions of the WhatsApp zero-click vector, was successful usage from late-2019 up to May 2020. The different versions were called “Eden” and “Heaven,” and the 3 were collectively known arsenic “Hummingbird.”