WhatsApp, the messaging service owned by Facebook, is suing NSO Group, an Israeli technology firm for allegedly sending malware that exploited its platform in order to conduct surveillance. A lawsuit was filed by the company in a district court in California, United States on Tuesday. The complaint states that malicious software was designed to infect over 1,000 specifically-targeted devices. Since WhatsApp has end-to-end encryption, the tech giant alleges that the Israeli company, which sells to government clients, developed the malware to access messages and other communications after they were decrypted. Simply put, communication that was intended to stay between the sender and the recipient were exposed, thanks to the alleged malware infected into these devices. This development is consequential because a Canadian academic research group, working with WhatsApp, has identified that these targets included journalists and human rights defenders.
What happened
In May this year, WhatsApp said that it 'stopped a highly sophisticated cyber attack' that exploited its video calling feature. By simply calling the targeted phone, the attackers injected commercial spyware into the device, it said. Following the attack, Citizen Lab, a multidisciplinary research group at the University of Toronto, offered to help WhatsApp identify cases where the ‘suspected targets of this attack were members of civil society, such as human rights defenders and journalists.’ With WhatsApp attributing the May attack to the NSO Group on Tuesday, Citizen Lab says that it has identified over 100 cases of ‘abusive targeting’ of human rights activists and journalists in at least 20 countries from Africa, Asia, Europe, the Middle East, and North America. While WhatsApp pushed out an update at the time on app stores adding new protective features, the attack has constituted a breach of its Terms of Service.
According to WhatsApp’s lawsuit, among other actions, the cyber tech group used WhatsApp servers and the WhatsApp Service without authorization, to send discrete malware components (ie malicious code) to certain devices.
How WhatsApp was compromised
“First, [the NSO Group] set up various computer infrastructure, including WhatsApp accounts and remote servers, used to infect the [targeted devices] and conceal [their] identity and involvement. Second, [the NSO Group] used and caused to be used WhatsApp accounts to initiate calls through [WhatsApp’s] servers that were designed to secretly inject malicious code onto [targeted devices]. Third, [the NSO Group] caused the malicious code to execute on some of the [targeted devices], creating a connection between those [targeted devices] and computers controlled by [the NSO Group] (the “remote servers”).” it argued.
Finally, WhatsApp alleges that the group then caused targeted devices to download and install additional malware from these remote servers, which was then used for accessing data and communications on the device. This malware is believed to be a remote access trojan (RAT), the kind that is downloaded without the user's explicit consent and designed to give complete control of the system (mobile phone or computer) to the attacker. Targets included phone numbers from the Kingdom of Bahrain, the United Arab Emirates, and Mexico in addition to government agencies in these countries and private entities.
Among the ways in which the attack manifested, WhatsApp alleges that the NSO Group targeted codes that helped users place a call from one phone to another. What would appear to be a legitimate incoming call would, in fact, reportedly deliver the malicious code to the targeted device, even if the target did not answer the call. The code would then attach itself to the memory of the targeted device, paving the way for full device access. WhatsApp says that phone numbers of accounts used to send malicious code was registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands; the malicious servers were owned by Choopa, Quadranet, and Amazon Web Services (AWS), among others.
NSO Group
The Israeli tech company, based out of Tel Aviv, has said that it provides 'authorized governments with technology that helps them combat terror and crime'. However, this technology is widely known to be surveillance technology sold to government clients. “The company sells only to authorized governmental agencies, and fully complies with strict export control laws and regulations. Moreover, the company does NOT operate any of its systems; it is strictly a technology company,” NSO Group had told Forbes in 2016, shortly after it was pulled up for targeting the iPhone of an Emirati human rights activist.
While the company, was reportedly financed by a San Francisco–based private equity firm between 2014 and 2019, in February this year it was reacquired by its founders and management. According to Citizen Lab, majority shares in the Group are owned by a European private equity firm, Novalpina Capital.
Q Cyber Technologies company, NSO Group’s alleged parent firm has also been named as a defendant in the lawsuit.