Facebook filed the complaint on Tuesday (Oct. 29). It alleged the group used malware on about 1,400 cellphones, targeting human rights activists, journalists, diplomats, government officials and others in a widespread malicious scheme.
Although the malware wasn’t able to break through Facebook’s encryption, it did in fact infect users’ phones, which gave NSO Group access to messages after they were decrypted.
Facebook also named a second organization in the suit: Q Cyber, which is a company affiliated with NSO Group. Earlier this year, WhatsApp confirmed that it had been hacked, but it didn’t say who the perpetrator was.
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices,” a WhatsApp spokesperson told CNBC at the time. “We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
NSO Group used its own software, called Pegasus, to not only see WhatsApp messages but messages from Skype, Telegram, WeChat, Facebook Messenger and others.
Facebook said NSO Group workers made their own WhatsApp accounts to send “malware components” to targets’ devices, or call and “secretly inject malicious code.”
WhatsApp said it had contacted all of the 1,400 users that it thought were “impacted by this attack to directly inform them about what had happened.”
“In May 2019 we stopped a highly sophisticated cyber attack that exploited our video calling system in order to send malware to the mobile devices of a number of WhatsApp users,” WhatsApp said in a blog post. “The nature of the attack did not require targeted users to answer the calls they received. We quickly added new protections to our systems and issued an update to WhatsApp to help keep people safe. We are now taking additional action, based on what we have learned to date.”