Eight things we learned from WhatsApp vs. NSO Group spyware lawsuit

Summary

On May 6, WhatsApp scored a major victory against NSO Group when a jury ordered the infamous spyware maker to pay more than $167 million in damages to the Meta-owned company. The ruling concluded a legal battle spanning more than five years, which started in October 2019 when WhatsApp accused NSO Group of hacking more than 1,400 of its users by taking advantage of a vulnerability in the chat app’s audio-calling functionality. The verdict came after a week-long jury trial that featured several testimonies, including NSO Group’s CEO Yaron Shohat and WhatsApp employees who responded and investigated the incident. Even before the trial began, the case had unearthed several revelations, including that NSO Group had cut off 10 of its government customers for abusing its Pegasus spyware, the locations of 1,223 of the victims of the spyware campaign, and the names of three of the spyware maker’s customers: Mexico, Saudi Arabia, and Uzbekistan. TechCrunch read more than 1,000 pages of court transcripts of the trial’s hearings. We have highlighted the most interesting facts and revelations below. New testimony described how the WhatsApp attack worked The zero-click attack, which means the spyware required no interaction from the target, “worked by placing a fake WhatsApp phone call to the target,” as WhatsApp’s lawyer Antonio Perez said during the trial. The lawyer explained that NSO Group had built what it called the “WhatsApp Installation Server,” a special machine designed to send malicious messages across WhatsApp’s infrastructure mimicking real messages. “Once received, those messages would trigger the user’s phone to reach out to a third server and download the Pegasus spyware. The only thing they needed to make this happen was the phone number,” said Perez. NSO Group’s research and development vice president Tamir Gazneli testified that “any zero-click solution whatsoever is a significant milestone for Pegasus.” NSO admitted that it kept targeting WhatsApp users after ...