Facebook and subsidiary WhatsApp have filed suit against shadowy Israeli cyber-intelligence firm NSO Group, saying that it exploited a vulnerability in the encrypted messaging app to infect over 1,400 phones with malware.
Per Bloomberg, the suit alleges that from January 2018 to May 2019, NSO created bogus WhatsApp accounts using phone numbers from different countries as well as created a “network of remote servers intended to distribute malware and relay commands to the Target Devices.” From around April 29 to May 10 this year, the suit additionally claimed, NSO used those accounts to place calls that deployed malware to “attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials” via the remote servers. WhatsApp is asking for a permanent injunction on NSO’s use of its products.
The specific WhatsApp vulnerability Facebook said was used to deploy the malware (CVE-2019-3568) was fixed in May 2019 after WhatsApp detected attacks on its servers. At the time, WhatsApp told reporters that the attack “has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” adding it had briefed human rights groups and civil society organisations on the breaches.
NSO builds powerful malware such as its flagship Pegasus project, which is reportedly capable of taking over targeted phones (as well as penetrating any cloud services linked to those phones). It claims that its tools are only sold to legitimate governments for purposes like counter-terrorism and fighting transnational organised crime. But its CEO, Shalev Hulio, has justified using them to target journalists and lawyers, and the company has also claimed that whenever NSO does not comment on specific clients, but the Toronto-based Citizen Lab has “identified a total of 45 countries where Pegasus operators may be conducting surveillance operations,” including at least “10 Pegasus operators [which] appear to be actively engaged in cross-border surveillance.”
Citizen Lab has also linked NSO to spyware found on the phone of a Saudi dissident in Canada, Omar Abdulaziz, who regularly spoke via WhatsApp with journalist-in-exile Jamal Khashoggi. Khashoggi was tortured and murdered in the Saudi consulate in Istanbul last year.
The lawsuit doesn’t identify who NSO’s client was.
In a statement to Bloomberg, NSO wrote, “The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists. It has helped to save thousands of lives over recent years.”
NSO added that it would “take action if we detect any misuse” of its products.
“They want the credibility of having powerful intelligence services as their customers, but at the same time they want to take credit only for the alleged successes while disclaiming responsibility for any of the alleged abuses,” Citizen Lab senior researcher John Scott-Railton told Bloomberg. “This lawsuit shatters the illusion of this unaccountable bubble.”