Legal documents released as part of an ongoing legal tussle between Meta’s WhatsApp and NSO Group have revealed that the Israeli spyware vendor used multiple exploits targeting the messaging app to deliver Pegasus, including one even after it was sued by Meta for doing so.
They also show that NSO Group repeatedly found ways to install the invasive surveillance tool on the target’s devices as WhatsApp erected new defenses to counter the threat.
In May 2019, WhatsApp said it blocked a sophisticated cyber attack that exploited its video calling system to deliver Pegasus malware surreptitiously. The attack leveraged a then zero-day flaw tracked as CVE-2019-3568 (CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality.
The documents now show that NSO Group “developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.” The attack vector – a zero-click exploit that could compromise a victim’s phone without any interaction from the victim – was neutralized sometime after May 2020, indicating that it was employed even after WhatsApp filed a lawsuit against it in October 2019.
Erised is believed to be one of the many such malware vectors – collectively dubbed Hummingbird – that the NSO Group had devised to install Pegasus by using WhatsApp as a conduit, including those tracked as Heaven and Eden, the latter of which is a codename for CVE-2019-3568 and had been used to target about 1,400 devices.
“[NSO Group has] admitted that they developed those exploits by extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp, and designing and using their own ‘WhatsApp Installation Server’ (or ‘WIS’) to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service,” according to the unsealed court documents.
Specifically, Heaven used manipulated messages to force WhatsApp’s signaling servers – which are used to authenticate the client (i.e. the installed app) – to direct target devices to a third-party relay server controlled by NSO Group.
Server-side security updates made by WhatsApp by the end of 2018 are said to have prompted the company to develop a new exploit – named Eden – by February 2019 that dropped the need for NSO Group’s own relay server in favor of relays operated by WhatsApp.
“NSO refused to state whether it developed further WhatsApp-based Malware Vectors after May 10, 2020,” per one of the documents. “NSO also admits the malware vectors were used to successfully install Pegasus on ‘between hundreds and tens of thousands’ of devices.”
Furthermore, the filings offer a behind-the-scenes look at how Pegasus is installed on a target’s device using WhatsApp, and how it is NSO Group, and not the customer, that operates the spyware, contradicting prior claims from the Israeli company.
“NSO’s customers’ role is minimal,” the documents state. “The customer only needed to enter the target device’s number and ‘press Install, and Pegasus will install the agent on the device remotely without any engagement.’ In other words, the customer simply places an order for a target device’s data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus.”
NSO Group has repeatedly maintained that its product is meant to be used to combat serious crime and terrorism. It has also insisted that its clients are responsible for managing the system and have access to the intelligence gathered by it.
Back in September 2024, Apple filed a motion to “voluntarily” dismiss its lawsuit against NSO Group, citing a shifting risk landscape that could lead to exposure of critical “threat intelligence” information and that it “has the potential to put vital security information at risk.”
In the interim years, the iPhone maker has steadily added new security features to make it difficult to conduct mercenary spyware attacks. Two years ago, it introduced Lockdown Mode as a way to harden device defenses by reducing the functionality across various apps like FaceTime and Messages, as well as block configuration profiles.
Then earlier this week, reports emerged of a novel security mechanism in beta versions of iOS 18.2 that automatically reboots the phone if it’s not unlocked for 72 hours, requiring users, including law enforcement agencies that may have access to suspects’ phones, to re-enter the password in order to access the device.
Magnet Forensics, which offers a data extraction tool called GrayKey, confirmed the “inactivity reboot” feature, stating the trigger is “tied to the lock state of the device” and that “once a device has entered a locked state and has not been unlocked within 72 hours, it will reboot.”
“Because of the new inactivity reboot timer, it is now more imperative than ever that devices get imaged as soon as possible to ensure the acquisition of the most available data,” it added.
https://thehackernews.com/2024/11/nso-group-exploited-whatsapp-to-install.html
