[German]In 2019, WhatsApp users fell victim to an attack by spyware that could be installed on Android and iOS devices via a vulnerability. WhatsApp sued the NSO Group, which developed and sold the exploit. A verdict has now been reached that represents a major legal victory for victims who were monitored via WhatsApp by the (Israeli) NSO Group's Pegasus spyware installed on their devices. The NSO Group has been found guilty.
Advertising
Review of the NSO Group WhatsApp exploit
A critical vulnerability CVE-2019-3568 existed 2019 in WhatsApp. In the WhatsApp VOIP stack, a buffer overflow through a special SRTCP packet could lead to remote code execution. The vulnerability was classified as critical because attackers exploited the vulnerability.
Attackers were able to secretly install spyware on the victims' mobile devices via the vulnerability. All it takes is a targeted WhatsApp call on an Android cell phone or iPhone. The WhatsApp call did not even have to be accepted by the victim. The victim could not even trace the attack, as the spyware deletes the information about incoming calls from the logs in order to work secretly.
The WhatsApp exploit was discovered and then sold by the Israeli NSO Group, which creates mobile spyware. NSO Group is an Israeli technology company that offers the spyware Pegasus, which enables the remote monitoring of smartphones (Android, iOS etc.). The Trojan can be installed unnoticed on devices within seconds to monitor phone calls, text messages, emails and even encrypted chats, as well as accessing the microphone and camera.
The Pegasus spyware was installed on Android and iOS devices via the WhatsApp exploit mentioned above. The spyware allows the attacker to remotely access an incredible amount of data on the victim's devices without the victim's knowledge or control. This included text messages, emails, WhatsApp messages, contact details, call recording, location data, as well as microphone and camera data.
Although the exact number of targeted WhatsApp users is still unknown, WhatsApp developers stated that only a "select number" of users were attacked by NSO Group's spyware with this vulnerability. The subsequent lawsuit mentions 1,400 victims.
Advertising
Citizen Lab, a monitoring group at the University of Toronto investigating the NSO Group's activities, believes the vulnerability was used to attack a British human rights lawyer. The vulnerability was closed by WhatsApp through an update of WhatsApp applications. I reported this in the blog post WhatsApp vulnerability CVE-2019-3568; Update required berichtet.
WhatsApp's lawsuit against the NSO Group is successful
As a result of this incident, WhatsApp then sued the NSO Group (lawsuit filed on October 29, 2019) for developing and selling an exploit. The NSO Group tried for 5 years to prevent a judgment in this case.
According to the tweet above, the NSO Group was found guilty in this case by a US court on December 20, 2024. John Scott-Railton, who was probably also working for Citizen Lab, has written up the whole thing in a series of tweets (see linked tweet above).
In another series of tweets, , Natalia Krapiva, an attorney, elaborates on the ruling. NSO was held liable under federal and state law for the hacking of the WhatsApp servers by Pegasus. The court ruled that NSO violated the Computer Fraud and Abuse Act by sending messages through WhatsApp servers to hack users with Pegasus.
NSO did argue that because they owned WhatsApp accounts, they were entitled to use them as they wished (including hacking). However, the court did not accept this as an argument and rejected it.
The court found that NSO violated the CDAFA (California Comprehensive Computer Data Access and Fraud Act). The court also ruled that NSO breached its contract with WhatsApp by violating its terms of service. WhatsApp's terms of use prohibit, among other things, the sending of malicious code, the collection of user data and the use of the app for illegal purposes.
Now that the court has found NSO liable for the hack, the next trial will only have to decide on the damages to be paid by the NSO Group to WhatsApp. The WhatsApp v. NSO jury trial is scheduled to begin at 8:30 a.m. on March 3, 2025 in Oakland, CA.
The ruling is also likely to have a major impact on the lawsuits filed by victims of this spyware attack. The Record Media also summarizes the ruling in this article.
Similar articles
WhatsApp vulnerability CVE-2019-3568; Update required
NSO Group's Pegasus spyware on many smartphones
Security updates for macOS, iOS/iPadOS close two 0-Days from NSO-Group (Pegasus Spyware)
Pegasus spyware detected on French phones, Zeus app detects Pegasus
NSO spyware Pegasus found on smartphones of French journalists
NSO Group in crisis – CEO steps down, layoffs
Advertising
