The Facebook-owned messaging application did not identify NSO Group by name when it revealed the vulnerability in May, but Financial Times did, reporting that its code was installed on both iPhones and Android smartphones by exploiting the bug in the app’s audio call feature, and the spyware could be installed whether or not the recipient answered the calls, with those calls often disappearing from victims’ call logs.
According to FT, the spyware used in the attack was Pegasus, from NSO Group, which is licensed to governments for the purpose of gaining access to people’s devices during investigations.
NSO Group said at the time, “The company does not operate the system and, after a rigorous licensing and vetting process, intelligence and law enforcement determine how to use the technology to support their public safety missions. We investigate any credible allegations of misuse and if necessary, we take action, including shutting down the system.”
WhatsApp global head Will Cathcart wrote an op-ed for The Washington Post Tuesday, revealing that WhatsApp and parent company Facebook filed a complaint against NSO Group in the U.S. District Court for the Northern District of California.
He wrote, “As we gathered the information that we lay out in our complaint, we learned that the attackers used servers and internet-hosting services that were previously associated with NSO. In addition, as our complaint notes, we have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful.”
Cathcart also noted that the attack targeted at least 100 human-rights defenders, journalists and “other members of civil society across the world,” adding, “Tools that enable surveillance into our private lives are being abused, and the proliferation of this technology into the hands of irresponsible companies and governments puts us all at risk.”
He concluded, “The mobile phone is the primary computer for billions of people around the world. It is how we have our most private conversations and where we store our most sensitive information. Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere.”