Legal documents from an ongoing legal battle between Meta's WhatsApp and the NSO Group have revealed shocking details: the Israeli spyware firm exploited multiple vulnerabilities in WhatsApp to deploy its infamous Pegasus spyware, even after being sued by Meta in 2019.
Sophisticated Exploits Used to Target WhatsApp
In May 2019, WhatsApp uncovered a cyberattack exploiting its video calling feature to deliver Pegasus malware. This attack leveraged a zero-day vulnerability tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow flaw in the app's voice call functionality. WhatsApp swiftly patched the vulnerability.
However, the court filings reveal that the NSO Group continued its operations, creating another zero-click exploit—codenamed Erised—that compromised devices without user interaction. This exploit, part of a broader set of tools dubbed Hummingbird, used WhatsApp servers to install Pegasus and was active until at least May 2020, months after Meta filed a lawsuit in October 2019.
How Pegasus Was Deployed
NSO’s tactics involved reverse-engineering WhatsApp code and using a custom WhatsApp Installation Server (WIS) to send manipulated messages. These messages bypassed legitimate app functionalities to force WhatsApp servers into installing Pegasus spyware.
The exploits included:
- Heaven: Redirected target devices to NSO-controlled servers.
- Eden: Improved upon Heaven by using WhatsApp’s own servers as relays for malware delivery.
Court documents further revealed that NSO spyware installations required minimal client involvement:
- The customer only needed to input the target device's number.
- NSO handled the entire spyware installation and data retrieval process.
The malware was installed on “hundreds to tens of thousands” of devices, according to NSO’s own admissions.
NSO’s Defense and Controversy
NSO Group maintains that Pegasus is intended for use in combating terrorism and serious crime. However, leaked documents suggest that NSO, not its clients, had full control over the spyware’s deployment. This contradicts the company’s claims that clients managed the system and intelligence operations.
Broader Spyware Threats and Security Measures
While Apple voluntarily dismissed its lawsuit against NSO in September 2024, citing risks to critical threat intelligence, the iPhone maker has since introduced robust security features to combat spyware:
- Lockdown Mode: A feature launched two years ago to limit app functionality and block configuration profiles.
- Inactivity Reboot (iOS 18.2 Beta): Automatically reboots the phone after 72 hours of inactivity, requiring re-entry of the password for access.
Magnet Forensics confirmed this feature, stating that it enhances device security by resetting the system’s locked state.
Implications for Cybersecurity
The revelations highlight the evolving threat of mercenary spyware and underscore the importance of strengthening app and device defenses. With zero-click exploits like Erised, even the most cautious users can fall victim to sophisticated cyberattacks.