WhatsApp sues Israeli firm NSO for ‘helping spies hack phones with video calls’
WhatsApp sued Israeli surveillance firm NSO Group, accusing it of helping government spies break into the phones of roughly 1,400 users across four continents in a hacking spree whose targets included diplomats, political dissidents, journalists and senior government officials.
In a lawsuit filed in federal court in San Francisco, messaging service WhatsApp, which is owned by Facebook, accused NSO of facilitating government hacking sprees in 20 countries. Mexico, the United Arab Emirates and Bahrain were the only countries identified.
WhatsApp said that 100 civil society members had been targeted and called it “an unmistakable pattern of abuse”.
NSO denied the allegations.
WhatsApp said the attack exploited its video calling system to send malware to the mobile devices of a number of users.
The malware would allow NSO’s clients – said to be governments and intelligence organizations – to secretly spy on a phone’s owner, opening their digital lives up to official scrutiny.
The lawsuit said the software could hijack devices using the Android, iOS, and BlackBerry operating systems.
“A user would receive what appeared to be a video call, but this was not a normal call,” WhatsApp head Will Cathcart said.
“After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”
NSO Group’s flagship malware, called Pegasus, allows spies to effectively take control of a phone – remotely and surreptitiously controlling its cameras and microphones from remote servers and vacuuming up personal and geo-location data.
WhatsApp is used by some 1,5 billion people monthly and has often touted a high level of security, including end-to-end encrypted messages that cannot be deciphered by WhatsApp or other third parties.
Citizen Lab, a cybersecurity research laboratory based at the University of Toronto that worked with WhatsApp to investigate the phone hacking, said that the targets included well-known television personalities, prominent women who had been subjected to online hate campaigns and people who had faced “assassination attempts and threats of violence”.
Neither Citizen Lab nor WhatsApp identified the targets by name.
Governments have increasingly turned to sophisticated hacking software as officials seek to push their surveillance power into the furthest corners of their citizens’ digital lives.
Companies like NSO say their technology enables officials to circumvent the encryption that increasingly protects the data held on phones and other devices.
But governments only rarely talk about their capabilities publicly, meaning that the digital intrusions like the ones that affected WhatsApp typically happen in the shadows.
The lawsuit seeks to have NSO barred from accessing or attempting to access WhatsApp and Facebook’s services and seeks unspecified damages.
NSO’s phone hacking software has already been implicated in a series of human rights abuses across Latin America and the Middle East, including a sprawling espionage scandal in Panama and an attempt to spy on an employee of the London-based rights group Amnesty International.
NSO came under particularly harsh scrutiny over the allegation that its spyware played a role in the death of Washington Post journalist Jamal Khashoggi, who was murdered at the Saudi Consulate in Istanbul a little over a year ago.
Khashoggi’s friend Omar Abdulaziz is one of seven activists and journalists who have taken the spyware firm to court in Israel and Cyprus over allegations that their phones were compromised using NSO technology.
Amnesty has also filed a lawsuit, demanding that the Israeli Ministry of Defence revoke NSO’s export license to “stop it profiting from state-sponsored repression”.
NSO has recently tried to clean up its image after it was bought by London-based private equity firm Novalpina Capital earlier this year.
Distributed by PAJU (Palestinian and Jewish Unity)