Messaging service WhatsApp is suing a spyware company that attacked their users’ devices and stole information.

In a 126-page US District Court filing, WhatsApp alleges Israeli-based surveillance software company NSO and its parent company Q Cyber Technologies targeted 1,400 users between April and May of this year, contrary to US law and its own terms of service.

By simply dialling their number, NSO's commercial spyware called ‘Pegasus’ was injected onto user's phones, regardless of whether they answered the call or not.

The targeted users included journalists, human rights activists, attorneys, political dissidents, and senior government officials.

“This is the first time that an encrypted messaging provider is taking legal action against a private entity that has carried out this type of attack against its users,” a statement from WhatsApp read.

“We are seeking a permanent injunction banning NSO from using our service.”

Facebook-owned WhatsApp prides itself on its end-to-end encryption which guarantees the privacy of messages sent between users.

WhatsApp is used by approximately 1.5 billion people in 180 countries.

How they did it

Working with cyber security experts at The Citizen Lab based at the University of Toronto’s Munk School, WhatsApp was able to determine how the attacks were carried out.

The perpetrators created WhatsApp accounts using mobile phone numbers registered in various countries including Brazil, Cyprus, Sweden, Israel, the Netherlands, and Israel.

Then, using remote servers, they targeted WhatsApp servers to call targeted phones.

Once the calls were delivered to the phones, they injected the malicious code into the memory of the devices—even if the user did not answer the call.

“Pegasus is designed to be stealthy and evade forensic analysis, avoid detection by anti-virus software, and can be deactivated and removed by operators,” Citizens Labs wrote in a blog post.

“Once Pegasus is installed, it begins contacting the operator’s command and control (C&C) servers to receive and execute operators’ commands, and send back the target’s private data, including passwords, contact lists, calendar events, text messages, and live voice calls from popular mobile messaging apps.

“The operator can even turn on the phone’s camera and microphone to capture activity in the phone’s vicinity, and use the GPS function to track a target’s location and movements.”

At the heart of it

The Citizen Lab was critical of the way NSO is sold to foreign governments to track citizens, whether their own or tourists visiting their countries.

“NSO Group spyware is being sold to government clients without appropriate controls over how it is employed by those clients,” it said.

“[They] are equipping repressive governments with powerful tools to spy on those who hold them to account.

“With powerful surveillance technology such as this roaming free, there is nowhere to hide, and no one will be safe from those who wish to cause harm.”