According to court records made public as part of a continuing legal battle between NSO Group and Meta’s WhatsApp, the Israeli spyware vendor delivered Pegasus via a number of flaws directed at the messaging service, including one that it continued to employ even after being sued by Meta for doing so.
They also demonstrate how, as WhatsApp put up additional defences against the threat, NSO Group kept figuring out how to get the intrusive spying tool onto the target’s devices.
WhatsApp claimed to have stopped a highly skilled cyberattack in May 2019 that used its video calling feature to covertly distribute Pegasus malware. The attack took use of a serious buffer overflow fault in the voice call capability that was then known as CVE-2019-3568 (CVSS score: 9.8).
According to the documents, NSO Group additionally “developed yet another installation vector (known as Erised) that also used WhatsApp servers to install Pegasus.” Sometime after May 2020, the attack vector—a zero-click exploit that could corrupt a victim’s phone without the victim having to do anything—was eliminated, suggesting that it was still in use even after WhatsApp sued it in October 2019.
It is thought that Erised is one of several malware vectors, collectively known as Hummingbird, that the NSO Group developed to install Pegasus via WhatsApp. These vectors include those known as Heaven and Eden, which is a codename for CVE-2019-3568 and was used to infect roughly 1,400 devices.
“[NSO Group has] admitted that they developed those exploits by extracting and decompiling WhatsApp’s code, reverse-engineering WhatsApp, and designing and using their own ‘WhatsApp Installation Server’ (or ‘WIS’) to send malformed messages (which a legitimate WhatsApp client could not send) through WhatsApp servers and thereby cause target devices to install the Pegasus spyware agent—all in violation of federal and state law and the plain language of WhatsApp’s Terms of Service,” according to the unsealed court records.
In particular, Heaven employed spoof messages to compel WhatsApp’s signalling servers, which verify the client (the installed app), to route target devices to an NSO Group-controlled third-party relay server.
According to reports, WhatsApp’s server-side security changes by the end of 2018 led the firm to create a new attack by February 2019 called Eden, which eliminated the necessity for NSO Group’s own relay server in favour of WhatsApp-run relays.
“NSO refused to state whether it developed further WhatsApp-based Malware Vectors after May 10, 2020,” according to a paper. “NSO also admits the malware vectors were used to successfully install Pegasus on ‘between hundreds and tens of thousands’ of devices.”
In addition, the documents provide an inside look at how Pegasus is set up on a target’s device through WhatsApp and reveal that NSO Group, not the user, is in charge of running the spyware, which runs counter to earlier assertions made by the Israeli corporation.
According to the records, “NSO’s customers’ role is minimal,” “Pegasus will remotely install the agent on the device without any interaction from the customer; they just need to enter the number of the target device and click Install.” In other words, NSO manages every facet of the data retrieval and distribution process through its Pegasus design, while the customer only makes an order for the data from a target device.”
NSO Group has consistently insisted that the purpose of its product is to fight terrorism and severe crime. Additionally, it has maintained that its clients have access to the intelligence that the system collects and are in charge of overseeing it.
Then earlier this week, rumours surfaced about a new security feature in beta versions of iOS 18.2 that requires users—including law enforcement agencies that might have access to suspects’ phones—to re-enter the password in order to access the device after it automatically reboots if it isn’t unlocked for 72 hours.
The “inactivity reboot” feature was verified by Magnet Forensics, the company that sells the data extraction tool GrayKey. They said the trigger is “tied to the lock state of the device” and that “once a device has entered a locked state and has not been unlocked within 72 hours, it will reboot.”
Devices must now be imaged as soon as feasible due to the new inactivity reboot timer in order to guarantee the acquisition of the most available data.