NSO Group Exploits WhatsApp Even After Legal Challenges

Recent legal documents from an ongoing case reveal that the NSO Group, a controversial Israeli spyware vendor, exploited vulnerabilities in WhatsApp to install its Pegasus spyware—even after a lawsuit was filed against it.

The revelations highlight the group’s ability to bypass security measures and adapt to countermeasures implemented by the messaging app.

In 2019, WhatsApp reported blocking a sophisticated cyberattack that used a vulnerability in its video calling system, tracked as CVE-2019-3568, to deliver Pegasus spyware. This zero-click exploit allowed attackers to compromise devices without any user interaction.

However, the court documents reveal that the NSO Group developed additional methods, collectively called Hummingbird, to continue targeting WhatsApp users. One such method, named Erised, was operational until at least May 2020, months after the lawsuit was initiated.

The Hummingbird exploits, including Heaven, Eden, and Erised, manipulated WhatsApp servers and signaling systems to direct target devices to malicious relay servers controlled by NSO Group.

These exploits enabled the seamless installation of Pegasus spyware on thousands of devices globally. Evidence shows the NSO Group reverse-engineered WhatsApp’s code and even set up their own “WhatsApp Installation Server” to execute the attacks.

Once Pegasus was installed, the spyware allowed NSO Group to remotely control infected devices. Contrary to earlier claims that their clients managed the spyware, the documents revealed that NSO Group maintained full operational control over the surveillance process. Clients simply provided target phone numbers, while NSO handled data extraction and delivery.

NSO Group has consistently argued that Pegasus is intended to combat terrorism and serious crime. However, the disclosure of these methods raises concerns about misuse and privacy violations on a massive scale.

In parallel, tech companies like Apple have ramped up their security measures in response to the growing threat of spyware. Apple introduced features such as Lockdown Mode to restrict app functionality and reduce attack surfaces.

Recently, iOS 18.2 beta introduced an “inactivity reboot” feature, requiring a device to restart if it hasn’t been unlocked for 72 hours, thereby enhancing defenses against prolonged unauthorized access.

To mitigate spyware threats, individuals and organizations must prioritize device security. Regularly updating software ensures the latest patches are applied to fix vulnerabilities. Enabling features like Lockdown Mode and minimizing permissions for apps can reduce exposure. Companies should strengthen server-side security to counter sophisticated exploits like those developed by spyware vendors.