A legal tug-of-war between WhatsApp and NSO Group has yielded damning evidence, as authorized documents reveal the Israeli company exploited WhatsApp vulnerabilities to deliver Pegasus malware, including instances continuing even after being sued by Meta.
Despite erecting new defenses, NSO Group continued to find ways to install the invasive surveillance device on target devices, underscoring the persistent threat posed by these sophisticated attackers.
In May 2019, WhatsApp announced that it had blocked a sophisticated cyber attack that exploited its video-calling feature to silently install the Pegasus malware. Exploiting a previously unknown vulnerability with a CVSS severity level of 9.8, attackers took advantage of an unchecked buffer overflow within the voice name rendering functionality.
The documents reveal that NSO Group created another setup vector, dubbed Erised, which leveraged WhatsApp servers to deploy Pegasus. This assault vector, a zero-click exploit requiring no user interaction, was neutralized by May 2020, suggesting its use continued even after WhatsApp’s countermeasures in October 2019?
Here’s the improved text:
The Erised malware is thought to be one of many vectors in NSO Group’s Hummingbird arsenal, designed to exploit Pegasus through WhatsApp conduits, alongside Heaven and Eden variants – the latter, codenamed CVE-2019-3568, having targeted approximately 1,400 devices.
“NSO Group has acknowledged developing these exploits by reverse-engineering WhatsApp’s code, extracting and decompiling it to create their own ‘WhatsApp Setup Server’ (or WIS), which enables them to send malformed messages through WhatsApp servers, thereby triggering target devices to install the Pegasus malware agent in violation of federal and state laws, as well as WhatsApp’s Terms of Service, according to unsealed court documents.”
particularly, heaven exploited manipulated messages to drive whatsapp’s signalling servers – those utilized to authenticate the user, namely The update installs a module that configures the app to route specific goal-oriented units to a third-party relay server maintained by NSO Group.
By late 2018, WhatsApp’s server-side safety updates led to the development of a novel exploit, dubbed Eden, which emerged by February 2019. This innovation eliminated the requirement for NSO Group’s proprietary relay servers, instead utilizing WhatsApp-operated relays.
According to documents, NSO declined to confirm or deny the development of further WhatsApp-based malware vectors following May 10, 2020. The NSO agency concedes that the malicious vectors were employed to swiftly deploy Pegasus on “between a few hundred and tens of thousands” of devices.
Notably, the filings offer a rare glimpse into the inner workings of Pegasus, revealing how it is installed on a target’s device via WhatsApp, and in stark contrast to previous assertions by NSO Group, it is the company – not the customer – that operates the malware.
The NSO’s prospecting function is minimal, according to the documentation. The shopper simply inputs the target device’s quantity, initiates the setup process, and Pegasus remotely configures the agent on the device without any human intervention. In essence, the customer merely places an order for a target device’s data, while NSO orchestrates every aspect of the information retrieval and delivery process through its Pegasus design.
The NSO Group consistently asserts that its technology is designed to combat severe crime and terrorism, specifically intended for use by law enforcement agencies in addressing these threats. The platform has also emphasized that users are responsible for overseeing the system, with direct access to the insights collected by it.
In September 2024, Apple agreed to voluntarily discontinue its lawsuit against NSO Group, citing an evolving threat landscape where disclosing critical “risk intelligence” information could put crucial security data at risk.
Within the intervening period, Apple has consistently implemented enhanced security measures to significantly strengthen its defenses against malicious adware attacks. Two years ago, Apple introduced this feature as a means of strengthening device security by deliberately throttling processor-intensive tasks such as FaceTime and Messages, as well as blocking configuration profiles.
Earlier this week, news broke about a novel safety feature in beta versions of iOS 18.2: if an iPhone remains unlocked for 72 hours, it requires users, including law enforcement agencies with access to suspects’ devices, to re-enter their passcode to gain access to the device.
Magnet Forensics, developer of GrayKey, an information extraction device, reveals its “inactivity reboot” feature. This functionality triggers when a device enters a locked state and remains so for 72 hours without being unlocked, subsequently rebooting the tool.
Because of the newly implemented inactivity reboot timer, it’s more vital than ever to image devices promptly, ensuring the capture of all available data.