Newly released court filings have unveiled that Israeli surveillance firm NSO Group continued deploying malware exploits targeting WhatsApp, even during ongoing legal battles with Meta.
Initiated in October 2019, a lawsuit by Meta accused NSO of facilitating spyware attacks that compromised around 1,400 devices, breaching federal and state laws, including the US Computer Fraud and Abuse Act. What makes the case special is the fact that the company has always claimed immunity from prosecution because it works directly with governments.
Galina Timchenko, an exiled Russian journalist and founder of the independent news website Meduza, has claimed that her iPhone was targeted by Pegasus spyware, developed by NSO Group. Pegasus is so-called “zero-click” spyware, meaning it infects devices without the users interacting directly with a malicious link or other source.
Recently filed court documents reveal that Pegasus spyware was seemingly also employed to monitor Princess Haya of Dubai, who escaped to the UK in 2019 after learning that Sheikh Mohammed bin Rashid Al Maktoum, Dubai’s ruler and the UAE’s vice president and prime minister, had previously kidnapped two of his daughters and brought them back to the UAE against their wishes.
Details of Persistent Exploits
Documents show that NSO Group not only created but actively used malware tools like “Eden” and “Erised” for spyware deployment post-litigation. These tools allowed Pegasus, NSO’s flagship spyware, to infiltrate mobile devices by sending malformed messages through WhatsApp servers—an approach effective until WhatsApp blocked it in 2020.
NSO’s actions, which involve reverse-engineering WhatsApp’s code, are described as unauthorized, violating the platform’s terms of service and U.S. law. Meta’s position has been firm that these breaches endangered user privacy and trust, as described in a different court filing this November:
“Defendants have admitted that they developed those exploits by extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp, and designing and using their own WhatsApp Installation Server´ (or `WIS´) to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service,” the court documents note.
The motion further reveals that NSO Group has continued to find and exploit WhatsApp vulnerabilities:
“Even after WhatsApp detected and blocked the exploit described in the Complaint in May
2019, NSO admits that it developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.
NSO continued to use and make Erised available to customers even after this litigation had been filed, until changes to WhatsApp blocked its access sometime after May 2020.
NSO’s witnesses have refused to answer whether it developed further WhatsApp-based Malware Vectors thereafter. All of these facts are undisputed, drawn principally from the corporate representative testimony of NSO’s own witnesses, which is binding on Defendants.”
NSO Group spokesperson Gil Lainer says that the company “stands behind its previous statements in which we repeatedly detailed that the system is operated solely by our clients and that neither NSO nor its employees have access to the intelligence gathered by the system.”
Microsoft’s Push for Accountability
The call for holding private surveillance firms accountable gained a strong voice in December 2020 when Tom Burt, Microsoft’s Corporate VP of Customer Security & Trust, argued for stripping NSO of legal immunity.
Burt highlighted that unlike government agencies, private companies are not bound by international regulations and thus pursue profit over responsibility. “Private actors like the NSO Group are only incented to keep these vulnerabilities to themselves,” Burt stated, pointing out the risks posed by unchecked private-sector spyware.
Technical Insights: How Pegasus Operates
Pegasus is known for its sophisticated ability to bypass security on mobile devices, enabling covert data collection and real-time surveillance. It exploits software flaws like zero-day vulnerabilities—unknown to developers and thus unpatched—allowing spyware installation without the user’s awareness.
One such vulnerability, CVE-2019-3568, allowed attackers to infect devices simply by making a WhatsApp call that did not even require an answer. This flaw was patched by Meta in May 2019 but had already facilitated a widespread breach.
A History of Legal Battles and Cybersecurity Concerns
Meta’s legal battle culminated in March 2024 when a U.S. judge mandated that NSO Group disclose source code for Pegasus and related spyware tools. This ruling covered the period from April 2018 to May 2020 and aimed to clarify the tool’s operations and usage.
The findings further suggested NSO’s involvement in operating parts of the spyware infrastructure, a claim that contradicts their public defense that government clients independently manage deployments.
Despite continuous allegations and mounting evidence, NSO has maintained its stance that its products are solely for legitimate state use and that it does not engage in unauthorized surveillance.