Lawsuit Alleges Pegasus Spyware Targeted WhatsApp Users
A federal judge in California has ruled that Facebook’s lawsuit against NSO Group – alleging that the Israeli company illegally developed a zero-day exploit to spy on WhatsApp users – can proceed.
The lawsuit, filed in October 2019, alleges that NSO Group developed an exploit that enabled governments to spy on WhatsApp messages from diplomats, journalists, human rights activists and political dissidents (see: Facebook Sues Spyware Maker Over WhatsApp Exploit). Facebook acquired WhatsApp in 2014.
NSO Group, however, scored a legal victory earlier this month when an Israeli court ruled that the company could continue to export its software and tools. Amnesty International had filed a suit to have the company’s export license revoked (see: Israeli Court Dismisses Complaint Against NSO Group).
NSO’s Arguments Rejected
In seeking to have the U.S. lawsuit thrown out, NSO Group’s lawyers argued that the company was acting as a contractor to governments, so it was immune from legal actions. The company also argued that this immunity allows it to keep its list of clients private.
But U.S. District Judge Phyllis Hamilton dismissed NSO Group’s arguments. “In light of these divergent doctrines and the lack of controlling authority, there is no compelling reason to extend derivative sovereign immunity to a foreign entity working on behalf of a foreign sovereign,” Hamilton wrote in her recent ruling.
An NSO Group spokesperson declined to comment, saying the company was still reviewing the judge’s ruling.
A WhatsApp spokesperson tells Information Security Media Group that the company will press ahead with its efforts to obtain documents from NSO Group as part of the ongoing lawsuit.
“We are pleased with the court’s decision permitting us to move ahead with our claims that NSO engaged in unlawful conduct,” the spokesperson says. “The decision also confirms that WhatsApp will be able to obtain relevant documents and other information about NSO’s practices.”
In its lawsuit, Facebook alleges that NSO Group violated a number of laws, including the U.S. Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act, by reverse-engineering its WhatsApp messaging app to develop an exploit that could deliver spyware called Pegasus to targeted devices merely by an attacker initiating a video call to a device.
The exploit worked as a way to circumvent the security measures, including end-to-end encryption, that Facebook built into WhatsApp, the lawsuit states.
Pegasus, which can intercept communications and extract browser history and contacts, has been sold to customers that include the Kingdom of Bahrain, the United Arab Emirates and Mexico, according to the judge’s ruling.
Over the last several years, organizations such as Amnesty International and Citizen Lab, a Toronto University-based think tank, have published reports about how governments have allegedly used the Pegasus software to spy on human rights activists, journalists and others (see: NY Times Reporter Targeted by Spyware: Report).
In January, following the hacking of Amazon CEO Jeff Bezos’s smartphone, a digital forensic analysis conducted by FTI Consulting, a Washington-based business advisory group, found that Bezos’s device may have been infected with Pegasus software deployed by Saudi Arabian state actors (see: Investigators: Saudis Hacked Amazon CEO Jeff Bezos’ Phone).
The NSO Group has repeatedly denied that its tools are used against activists and others. “Our technology is used to save lives and prevent terror and crime worldwide, and we remain confident that our conduct is lawful,” a company spokesperson says.