WhatsApp, which prides itself on its encrypted messaging capabilities, has filed a complaint in a California court accusing spyware company NSO Group and its parent company Q Cyber Technologies of targeting at least 1,400 users across the world.
What WhatsApp has claimed
WhatsApp claims it detected the attack in May 2019 and found that NSO exploited a “buffer overflow vulnerability in WhatsApp VOIP stack” to send its Pegasus malware to the target devices, even without the users answering the calls they received.
In an article in The Washington Post, WhatsApp head Will Cathcart claimed they can link the attack to NSO because the “attackers used servers and Internet-hosting services that were previously associated with NSO” and they “tied certain WhatsApp accounts used during the attacks back to NSO”. “While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” he wrote in the October 30 opinion piece.
WhatsApp has roped in cyber security experts at the Citizen Lab, an academic research group based at the University of Toronto’s Munk School, to learn more about the attack. “As part of our investigation into the incident, Citizen Lab has identified over 100 cases of abusive targeting of human rights defenders and journalists in at least 20 countries across the globe, ranging from Africa, Asia, Europe, the Middle East, and North America that took place after Novalpina Capital acquired NSO Group and began an ongoing public relations campaign to promote the narrative that the new ownership would curb abuses,” a post on their site said.
What’s in the lawsuit
The WhatsApp lawsuit gives insight on how NSO allegedly seeded the Pegasus spyware in the target devices.
The lawsuit claims the “Defendants (NSO) set up various computer infrastructure, including WhatsApp accounts and remote servers” and then “used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices”. It then “caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the ‘remote servers’)”.
The lawsuit claims that between January 2018 and May 2019, NSO created WhatsApp accounts “using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands”. They also “leased servers and internet hosting services in different countries, including the United States, in order to connect the Target Devices to a network of remote servers intended to distribute malware and relay commands to the Target Devices”.
WhatsApp claimed these servers were owned by Choopa, Quadranet and Amazon Web Services, among others. “The IP address of one of the malicious servers was previously associated with subdomains used by Defendants.”
It claimed NSO routed and caused to be “routed malicious code through the Plaintiffs’ servers – including Signaling Servers and Relay Servers – concealed within part of the normal network protocol”. WhatsApp’s Signaling Servers facilitate initiation of calls between different devices while the Relay Servers help with “certain data transmissions” over the service. This, WhatsApp claims, was unauthorised and illegal as the servers were deemed “protected computers” under US laws.
As per WhatsApp, NSO also “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code — undetected — to Target Devices over WhatsApp servers”. “To avoid the technical restrictions built into WhatsApp Signaling Servers,” the lawsuit claimed, “Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device — even when the Target User did not answer the call.”
Arguing that NSO violated the US Computer Fraud and Abuse Act, California Comprehensive Computer Data Access and Fraud Act, breached their contracts with WhatsApp, wrongfully trespassed, WhatsApp has sought relief including a permanent injunction from accessing “WhatsApp’s and Facebook’s service, platform, and computer systems”, creating or maintaining any WhatsApp or Facebook account and engaging in any activity that disrupts, diminishes the quality of, interferes with the systems. The messaging platform has also sought damages.
Explained: How the spyware Pegasus worked
The Citizen Lab says “NSO Group / Q Cyber Technologies’ flagship spyware” has many names and Pegasus is just one of the commonly used one. It is also called Q Suite and can infiltrate both iOS and Android devices. To spy on a target, operators use multiple vectors to penetrate security features in operating systems and silently install Pegasus without the user’s knowledge or permission. While in this case the vector was a missed WhatsApp Call, Citizen Lab claims its has identified other cases, which include “tricking targets into clicking on a link using social engineering”. Once installed, Pegasus can start contacting the operator’s command and control (C&C) servers to receive and execute commands as well as send back critical information including passwords and text messages. It can also help the operator turn on the camera or microphone of the device and even track location in real time. It has been designed to avoid leaving footprints and also use minimum bandwidth.
Don’t miss from Explained: What Azadi March in Pakistan signals