NSO Group Continued Exploiting WhatsApp to Deliver Pegasus Spyware Post Meta Lawsuit

November 18, 2024

Legal documents recently made public amid the ongoing legal battle between WhatsApp, owned by Meta, and NSO Group, an Israeli spyware manufacturer, reveal that the latter continued to use various exploits to deliver its Pegasus spyware via WhatsApp, even after Meta had initiated legal action against it. The documents also reveal NSO Group's persistent efforts to install its invasive surveillance tool on targeted devices, despite WhatsApp's attempts to bolster its defenses.

In May 2019, WhatsApp announced that it had thwarted a complex cyber attack that exploited its video calling system to clandestinely deliver Pegasus malware. This attack took advantage of a zero-day vulnerability, known as CVE-2019-3568, a critical buffer overflow bug in the voice call functionality. The recently released documents show that NSO Group 'developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.' This zero-click exploit could compromise a victim's phone without any interaction from the victim and was used even after WhatsApp filed a lawsuit against NSO Group in October 2019. It was finally neutralized after May 2020.

Erised is thought to be one of several malware vectors, collectively referred to as Hummingbird, that NSO Group created to install Pegasus using WhatsApp. This includes vectors known as Heaven and Eden, the latter being a codename for CVE-2019-3568, which was used to target around 1,400 devices. According to the unsealed court documents, '[NSO Group has] admitted that they developed those exploits by extracting and decompiling WhatsApp's code, reverse-engineering WhatsApp, and designing and using their own 'WhatsApp Installation Server' (or 'WIS') to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp's Terms of Service.'

Specifically, Heaven manipulated messages to compel WhatsApp's signaling servers, which authenticate the client or installed app, to direct targeted devices to a third-party relay server controlled by NSO Group. By the end of 2018, server-side security updates made by WhatsApp led NSO Group to develop a new exploit, named Eden, by February 2019. This eliminated the need for NSO Group's own relay server, instead using relays operated by WhatsApp.

'NSO refused to state whether it developed further WhatsApp-based Malware Vectors after May 10, 2020,' according to one of the documents. NSO Group also admitted that the malware vectors were used to successfully install Pegasus on 'between hundreds and tens of thousands' of devices. The documents also reveal how Pegasus is installed on a target's device using WhatsApp, and that it is NSO Group, not the customer, that operates the spyware. This contradicts previous claims from the Israeli company that its customers are responsible for managing the system and have access to the intelligence gathered by it.

Related News

• U.S. Judge Orders NSO Group to Disclose Pegasus Spyware Source Code to Meta

Latest News

• VMware vCenter Server Vulnerabilities Now Under Active Exploitation
• Palo Alto Networks Addresses Four Critical Security Flaws in Expedition Firewall
• GeoVision Devices Exploited by Botnet to Install Mirai Malware
• Microsoft Halts November 2024 Exchange Security Updates Due to Email Delivery Issues
• CISA Issues Warning on Active Exploitation of Additional Palo Alto Networks Vulnerabilities