WhatsApp Wins $167M Verdict Against NSO Group Over Pegasus Spyware Attacks
WhatsApp achieved a significant legal victory against NSO Group, with a jury ordering the spyware maker to pay over $167 million for hacking 1,400+ users via a zero-click exploit in WhatsApp's audio-calling feature. The case revealed NSO’s targeting methods, government clients, and continued attacks despite ongoing litigation, highlighting the persistent cybersecurity threats posed by Pegasus spyware.
In a landmark legal decision, WhatsApp secured a $167 million judgment against NSO Group, the notorious spyware developer behind Pegasus. This verdict concludes a protracted legal battle initiated in 2019 when WhatsApp accused NSO of exploiting a vulnerability in its audio-calling feature to hack over 1,400 users without any interaction from the targets.
The spyware attack utilized a zero-click method, meaning victims did not need to engage with any message or call. NSO’s “WhatsApp Installation Server” sent malicious messages mimicking legitimate WhatsApp communications, triggering devices to download Pegasus using only the target’s phone number. This sophisticated approach underscores the advanced capabilities of modern spyware.
During the trial, NSO Group revealed that its spyware was tested on a U.S. phone number as part of a demonstration for the FBI, contradicting previous claims that Pegasus did not target American numbers. The FBI ultimately chose not to deploy Pegasus. The case also disclosed that NSO’s government clients included Mexico, Saudi Arabia, and Uzbekistan, some of whom abused the spyware, leading NSO to sever ties with ten such customers.
NSO’s CEO explained that Pegasus automatically selects the hacking exploit to use, relieving government clients from choosing the attack vector. Interestingly, NSO’s headquarters share a building with Apple in Herzliya, Israel, highlighting the proximity to a major target of its spyware campaigns.
Despite the lawsuit filed in late 2019, NSO continued to deploy versions of the WhatsApp zero-click exploit, codenamed “Erised,” “Eden,” and “Heaven,” collectively known as “Hummingbird,” until May 2020. This persistence highlights the ongoing risks spyware poses even amid legal scrutiny.
Broader Implications for Cybersecurity
This case exemplifies the evolving landscape of cybersecurity threats, where state-sponsored spyware leverages zero-click exploits to infiltrate widely used communication platforms. The verdict not only holds NSO accountable but also raises awareness about the vulnerabilities in popular apps and the importance of robust security measures to protect user privacy.
Organizations and governments must prioritize detection and mitigation strategies against such sophisticated spyware. The revelations about NSO’s clients and methods provide critical intelligence for cybersecurity professionals aiming to safeguard digital communications against similar threats.
Keep Reading
View AllSan Francisco BART System Halted by Computer Networking Issue Causing Major Delays
San Francisco’s BART system stopped due to a computer networking problem, disrupting thousands of commuters and causing widespread delays.
Maximize Your Finances with Smart Moves During Federal Reserve Rate Pause
Learn four key strategies to benefit from the Federal Reserve's rate pause and optimize your savings and debt management.
Google to Pay $1.375 Billion Settlement to Texas Over Privacy Violations
Google settles Texas lawsuits for $1.375B over unlawful tracking of geolocation, incognito searches, and biometric data.
AI Tools Built for Agencies That Move Fast.
QuarkyByte offers deep insights into spyware threats like Pegasus and how to defend digital platforms against zero-click exploits. Explore our expert analyses and tailored cybersecurity strategies to protect your users and infrastructure from sophisticated attacks. Engage with QuarkyByte to fortify your defenses against evolving spyware challenges.