A U.S. court mandates that NSO Group provide WhatsApp with the Pegasus spyware code.

A U.S. court mandates that NSO Group provide WhatsApp with the Pegasus spyware code.

As part of the social media behemoth’s continuing legal battle with the Israeli spyware vendor, a U.S. judge has mandated that NSO Group provide Meta access to the source code for Pegasus and other products.

The ruling is a significant legal win for Meta, which brought the complaint in October 2019 after some 1,400 mobile devices were infected with malware between April and May by accessing its infrastructure. Two dozen Indian journalists and activists were also included in this.

These attacks took advantage of a serious buffer overflow fault in the voice call capability of the instant messaging service (CVE-2019-3568, CVSS score: 9.8), which was a zero-day flaw at the time, to deliver Pegasus by just making a call, even in situations when the calls went unanswered.

To avoid discovery, the assault chain also includes procedures to remove the details of incoming calls from the records.

NSO Group has been asked to “produce information concerning the full functionality of the relevant spyware,” specifically for a period of one year prior to the alleged attack to one year following the alleged attack (i.e., from April 29, 2018 to May 10, 2020), according to court documents that were made public late last month.

Nevertheless, WhatsApp “would be able to glean the same information from the full functionality of the alleged spyware,” therefore the business is exempt from having to “provide specific information regarding the server architecture at this time.” More importantly, it has avoided disclosing the identity of its customers.

Donncha Ó Cearbhaill, head of Amnesty International’s Security Lab, said: “While the court’s decision is a positive development, it is disappointing that NSO Group will be allowed to continue keeping the identity of its clients, who are responsible for this unlawful targeting, secret.”

The United States imposed sanctions on NSO Group in 2021 for creating and distributing cyberweapons to other countries, claiming that these states “used these tools to maliciously target government officials, journalists, businesspeople, activists, academics, and embassy workers.”

However, due to its “pay or okay” (also known as pay or consent) subscription model, Meta is coming under increasing pressure from consumer and privacy organizations in the EU. These groups claim that users are forced to choose between paying a “privacy fee” and giving the firm permission to monitor them.

They said that the approach would violate GDPR laws. “This imposes a business model in which privacy becomes a luxury rather than a fundamental right, directly reinforcing existing discriminatory exclusion from access to the digital realm and control over personal data,” they stated.

This development coincides with the disclosure by Recorded Future of a new multi-tiered distribution infrastructure linked to Predator, a mobile spyware mercenary that is under the management of the Intellexa Alliance.

Presumably, the infrastructure network is linked to Predator clients in Angola, Armenia, Botswana, Egypt, Indonesia, Kazakhstan, Mongolia, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago, among other nations. Notably, up to this point, no Predator clients had been located in Botswana or the Philippines.

“Although Predator operators respond to public reporting by altering certain aspects of their infrastructure, they seem to persist with minimal alterations to their modes of operation; these include consistent spoofing themes and focus on types of organizations, such as news outlets, while adhering to established infrastructure setups,” the business stated.

Three domains linked to customers in Botswana, Mongolia, and Sudan were discovered, according to Sekoia’s report on the Predator spyware ecosystem. The company also noted that there was a “significant increase in the number of generic malicious domains which do not give indications on targeted entities and possible customers.”


Scroll to Top