WhatsApp blames — and sues — mobile spyware maker NSO Group over its ‘silent call’ exploit

WhatsApp has filed a suit in federal court accusing NSO Group, an Israeli mobile surveillance maker, of creating an exploit that allowed the spyware’s operator to hack into a target’s phone and remotely spy on them.

The lawsuit, filed in a California federal court, said the mobile surveillance outfit “developed their malware in order to access messages and other communications after they were decrypted” on target devices.

The attack worked by exploiting an audio-calling vulnerability in WhatsApp. Users would appear to get an ordinary call, but the malware would quietly infect the device with spyware, giving the attackers full access to the device.

Because WhatsApp is end-to-end encrypted, it’s near-impossible to access the messages as they traverse the internet. But in recent years, governments and mobile spyware companies have begun targeting the devices where the messages were sent or received. The logic goes that if you hack the device, you can obtain its data.

Thats’s what WhatsApp says happened.

WhatsApp, owned by Facebook, quickly patched the vulnerability. Although blame fell fast on NSO Group, WhatsApp did not publicly accuse the company at the time.

In an op-ed, WhatsApp head Will Cathart said the messaging giant “learned that the attackers used servers and Internet-hosting services that were previously associated” with NSO Group, and that certain WhatsApp accounts used during the attacks were traced back to the company.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” said Cathart.

The attack involved disgusing the malicious code as call settings, allowing the surveillance outfit to deliver the code as if it came from WhatsApp’s signaling servers. Once the malicious calls were delivered to the target’s phone, they “injected the malicious code into the memory of the target device — even when the target did not answer the call,” the complaint read. When the code was run, it sent a request to the surveillance company’s servers, and downloaded additional malware to the target’s device.

In total, some 1,400 targeted devices were affected by the exploit, the lawsuit said.

Most people were unaffected by the WhatsApp exploit. But WhatsApp said that over a hundred human rights defenders, journalists and “other members of civil society” were targeted by the attack. Other targets included government officials and diplomats.

WhatsApp is asking for a jury trial.

We’ve reached out to NSO Group for comment, but did not hear back.

social experiment by Livio Acerbo #greengroundit #techcrunch http://feedproxy.google.com/~r/Techcrunch/~3/pxMr3NysCMo/