Facebook has filed a lawsuit against Israeli cyber security firm NSO Group in the United States, alleging that the latter used WhatsApp servers located in the United States and elsewhere to infect approximately 1,400 mobile devices with malware to carry out surveillance of “Target Users”.
In May this year, Facebook discovered a critical vulnerability in WhatsApp messaging service that allowed malicious actors to inject surveillance malware into users’ devices. The company soon rolled out a security update as “an advanced cyber actor” had already exploited the vulnerability to carry out surveillance of targeted entities.
“A buffer overflow vulnerability in WhatsApp VOIP [voice over internet protocol] stack allowed remote code execution via specially crafted series of SRTCP [secure real-time transport protocol] packets sent to a target phone number,” said WhatsApp in an advisory to security specialists.
NSO Group installed Pegasus into devices after exploiting WhatsApp vulnerability
According to security experts, the surveillance software installed by hackers in target devices was Pegasus, a well-known piece of spyware created by the Israel-based NSO Group that features a number of surveillance capabilities that include capturing screenshots, keylogging, live audio capture, browser history exfiltration, email exfiltration from Android’s Native Email client, and exfiltration of contacts and text messages from devices.
According to researchers, Pegasus is also capable of exfiltrating messaging data from commonly-used applications such as WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao and can self-destruct if an antidote file exists in an infected device or if it has not been able to check in with the servers after 60 days of infiltration.
“Once deployed on the victim’s phone, Pegasus allows the attacker to access sensitive data from the device (contacts, SMS, emails, photos, etc.), to track location and to activate the microphone and the camera for remote monitoring.
“Since 2016, Pegasus has been identified on several thousand “high potential” target’s phones. These include CEOs and CFOs of major financial and industrial companies, but also devices owned by journalists or non-governmental organisations,” said Tom Davison, EMEA director at Lookout, the security firm that first discovered Pegasus in 2016.
On Tuesday, Facebook filed a lawsuit against NSO Group in the District Court of California, alleging that NSO Group “used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices” and that the firm developed their malware “in order to access messages and other communications after they were decrypted on Target Devices”.
In its complaint, Facebook alleged that NSO Group and its agents used WhatsApp servers and the WhatsApp Service to send discrete malware components to target devices after setting up various WhatsApp accounts and remote servers to conceal their involvement.
NSO Group carried out surveillance activities between January and May this year
Using Facebook’s servers, NSO Group initiated calls that secretly injected malicious code into target devices and then executed the codes to create a connection between the hijacked devices and its remote server. Once a connection was established, NSO Group caused target devices to download and install additional malware, including Pegasus, for the purpose of accessing data and communications.
“Between approximately January 2018 and May 2019, Defendants created WhatsApp accounts that they used and caused to be used to send malicious code to Target Devices in April and May 2019. The accounts were created using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands.
“Defendants reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers. Defendants’ program was sophisticated, and built to exploit specific components of WhatsApp network protocols and code,” the complaint read.
Facebook added that between April and May this year, NSO Group formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings to avoid the technical restrictions built into WhatsApp Signaling Servers.
Using this method, NSO Group transmitted malicious code to approximately 1,400 target devices between April 29 and May 10 and these devices were owned by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.
After Facebook discovered the security vulnerability on May 13 and issued a security update to fix it, an NSO Group employee allegedly told the company- “You just closed our biggest remote for cellular . . . It’s on the news all over the world.”
Facebook further alleged that because of NSO Group’s covert activities that caused damage to its reputation and destroyed the goodwill between the company and its users, it suffered damages in excess of $75,000 and asked the Court to award it “compensatory, statutory, and punitive” damages.
“Several firms dealing in cyber weapons have been criticized when their spyware has turned up in inappropriate places, but this could all change if Facebook (WhatsApp) is successful in this suit,” says Craig Young, senior security researcher at Tripwire.
“The precedent set by a ruling in favour of WhatsApp could send shockwaves through this very murky industry prompting vendors to be more considerate about how their weapons are used.”