WhatsApp is suing Israeli NSO Group for alleged spyware distribution
WhatsApp is suing the Israeli NSO Group for allegedly behind the malware that infects the phones of 1,400 WhatsApp users. This made it possible to spy on owners despite the chat app’s end-to-end encryption.
WhatsApp reports in a statement that it has started a case in a US court in which it targets the NSO Group and its parent company Q Cyber Technologies. WhatsApp describes NSO Group as a spyware company and claims that both companies have violated the US federal Computer Fraud and Abuse Act and California laws, as well as the WhatsApp terms. The company behind the popular chat app wants to prevent NSO from using WhatsApp any longer.
According to WhatsApp, NSO had targeted its spyware at 1,400 of its users, including at least 100 journalists or human rights activists. The spyware was deployed in April and May. To avoid the technical limitations of the WhatsApp Signaling Servers, NSO distributed “call start messages” containing malicious code pretending to be legitimate conversations. In addition, the code was hidden in the conversation settings, WhatsApp says. This allowed the spyware to be brought to the device and appeared to come from the WhatsApp Signaling Servers. As soon as a WhatsApp call was established, the malware was injected into the device’s memory, even if the call was not answered, WhatsApp writes. The vulnerability that enabled this exploit was patched in mid-May. Back then, the NSO Group was already mentioned, but now the company is specifically and publicly mentioned, including in the indictment.
Incidentally, it remains to be seen whether the lawsuit will make any difference. Normally, a case about potentially violating rules from the Computer Fraud and Abuse Act involves hackers who have hacked into a company’s computers. In this case, it is a case against a company that has misused another company’s software to break into its users’ computers.
The law revolves around unauthorized access and therefore hacking, so WhatsApp will have to prove that NSO got illegal access to its systems. Tor Ekeland, a lawyer who often assists hackers, tells Wired that WhatsApp may be able to demonstrate that NSO has hacked not only its users, but also its own servers, but according to him WhatsApp is not clear about this. Moreover, WhatsApp parent company Facebook has had similar cases in the past. The judge then ruled that the Computer Fraud and Abuse Act had only been violated because Facebook had warned an offending company to stop using Facebook. However, WhatsApp’s current indictment makes no mention of a previous WhatsApp call to NSO to stop using the services and stop hacking users.
In a statement to the BBC, among others, NSO says it will contest the allegations and disagree with WhatsApp’s reading. The company states its sole purpose is to provide technology to government agencies to help them fight terrorism and serious crime.