Israeli surveillance firm NSO Group leveraged multiple zero-day vulnerabilities in WhatsApp, including a newly uncovered exploit called “Erised,” to deploy its infamous Pegasus spyware.

These exploits facilitated zero-click attacks, requiring no user interaction, and were used even after WhatsApp filed a lawsuit against the company, according to newly disclosed court documents.

Pegasus: A Surveillance Powerhouse

Pegasus, NSO Group’s flagship spyware, is marketed to governments worldwide for surveillance purposes. It enables users to extract extensive data from targeted devices, including calls, messages, and real-time activity monitoring. According to the court filings, NSO created exploits that bypassed WhatsApp’s security systems to deploy Pegasus remotely, often without the targets’ knowledge.

Timeline of Exploits

  1. Heaven Exploit (2018):
    NSO developed Heaven, a vector that impersonated WhatsApp’s client through a custom server called the “WhatsApp Installation Server” (WIS). This allowed Pegasus to be installed on targets’ devices from a third-party server. WhatsApp blocked this method through security updates in late 2018.
  2. Eden Exploit (2019):
    Following the patching of Heaven, NSO introduced Eden, part of a group of exploits collectively known as Hummingbird. Eden bypassed WhatsApp’s new defenses and targeted approximately 1,400 devices globally. NSO admitted in court to reverse-engineering WhatsApp’s code to create this exploit, violating federal and state laws as well as WhatsApp’s Terms of Service.
  3. Erised Exploit (2019-2020):
    After Eden was neutralized, NSO developed Erised, which leveraged WhatsApp relay servers to install Pegasus. The exploit remained operational even after WhatsApp filed a lawsuit against NSO in October 2019, finally being blocked by further WhatsApp updates after May 2020.
READ
Amazon Employee Data Exposed in Vendor Breach Linked to MOVEit Vulnerability

Minimal Client Involvement

The Pegasus spyware required minimal technical expertise from its clients. By entering a target’s phone number into a Pegasus console, the spyware would automatically install itself on the target’s device, extracting data remotely. This seamless process limited clients’ involvement to a simple “Install” command.

High-Profile Targets

Pegasus has been used against:

  • Politicians and activists, including Catalan officials.
  • Government officials in the U.K., U.S., and Finland.
  • Journalists and diplomats worldwide.

NSO Group’s activities have drawn significant criticism:

  • In November 2021, the U.S. Department of Commerce sanctioned NSO and another Israeli firm, Candiru, for supplying spyware used in attacks against journalists, activists, and government officials.
  • Apple filed a lawsuit against NSO, alleging the use of Pegasus to compromise iOS devices.
  • WhatsApp has been a key plaintiff in ongoing litigation, seeking to hold NSO accountable for breaching its systems.

NSO maintains that it is not liable for its client’s use of Pegasus and claims it lacks access to the data collected. However, the court documents reveal that NSO knowingly continued developing and deploying new exploits, even amid escalating legal and regulatory scrutiny.

This case highlights the ongoing challenges in curbing the misuse of surveillance tools, raising questions about accountability in the spyware industry. NSO Group has not commented on the latest revelations.