In new court filings, WhatsApp alleged notorious Israeli spyware company NSO Group was responsible for human rights violations through targeted mobile phone hacks.
WhatsApp has alleged that Israeli spyware company NSO Group was responsible for human rights violations by hacking the phones of hundreds of WhatsApp users including senior government officials, journalists and human rights activists, according to a report by The Guardian.
In October, WhatsApp, which is owned by Facebook, sued NSO Group in US federal court for allegedly targeting some 1,400 users of its encrypted messaging service with highly sophisticated spyware, notably NSO’s infamous hacking software Pegasus.
The lawsuit is the first legal action of its kind, as it treads in a near-total unregulated realm.
Facebook says NSO Group violated the US Computer Fraud and Abuse Act with a crafty exploit that took advantage of a flaw in WhatsApp, allowing smartphones to be infiltrated from a missed call alone.
In new court filings, WhatsApp said the Israeli company hacked the phones of more than a dozen Indian journalists and Rwandan dissidents, according to The Guardian.
NSO Group has long maintained that its merchandise is purchased by government officials to track down terrorists and criminals, while the company has no knowledge of how its clients deploy its spyware.
The company has reiterated these statements in court.
Based on its own investigation, WhatsApp found otherwise.
After infecting users’ devices with Pegasus spyware, via phone calls on the messaging platform, WhatsApp found NSO “used a network of computers to monitor and update Pegasus after it was implanted on users’ devices”.
“These NSO-controlled computers served as the nerve centre through which NSO controlled its customers’ operation and use of Pegasus,” WhatsApp said.
NSO gained “unauthorised access” to WhatsApp service by reverse-engineering the application and dodging security features that prevent the manipulation of call features, WhatsApp added.
In a sworn statement, a WhatsApp engineer involved in the investigation said that in 720 instances, the IP address of a remote server was included in the malicious code used in the hacks.
The server was based in Los Angeles and owned by a company whose data centre was used by NSO, the engineer said.
Citizen Lab’s John Scott-Railton, who has worked with WhatsApp on the case said the Israeli company’s control of the servers involved in the hacks suggests the company would have possessed logs – including IP addresses – identifying hacking targets.
“Our products are used to stop terrorism, curb violent crime, and save lives. NSO Group does not operate the Pegasus software for its clients,” NSO Group said in a statement to the Guardian. “Our past statements about our business, and the extent of our interaction with our government intelligence and law enforcement agency customers, are accurate.”
The company said it would file its response to the court in coming days.
NSO Group has for years fought accusations it has supplied Pegasus spyware to authoritarian governments who have used it to hack dissidents’ phones, while counting Saudi Arabia among its more prominent clients.
NSO is also marketing a tracking product that uses mobile phone data to identify people who came in contact with Covid-19 cases.
The company defended its latest tool, stating it has proved “vital” for governments around the world and does not compromise users’ privacy.