Spying Fears prepping WhatsApp Security Update

Facebook has been known for their security issues along these few years. Now, it’s WhatsApp turn to have a security issue. Users have been told to update to the latest version of the app due to hackers accessing people’s messages.

The hackers are able to get to people’s messages because of sharing an MP4 file across the platform. The messaging app had the issue fixed but anyone who hasn’t downloaded the latest update is vulnerable to the hack.

This WhatsApp security threat is seen as quite severe by India’s Computer Emergency Response Team (CERT-In). They posted an advisory saying that the threat “could be exploited by a remote attacker”. CERT-In had said this after the Indian government said it is empowered to “intercept, monitor or decrypt… any information generated, transmitted, received, or stored” on the phones or devices of its citizens.

Earlier on last month, almost twenty people revealed that their WhatsApp accounts were targeted. They were twenty of the 1400 people that had gotten a message saying that their digital communications may have been compromised.

WhatsApp says that the above attack earlier this month isn’t related to the recent find of the MP4 file. They have also said there is no evidence that this vulnerability has been exploited by third-parties. So that’s one good sign.

Instead, WhatsApp has said that the users were instead targeted with spyware developed by controversial Israeli technology firm NSO Group. “WhatsApp is constantly working to improve the security of our service,” a spokesperson told The Independent.

WhatsApp on Tuesday sued Israeli technology firm NSO Group, accusing it of using the Facebook-owned messaging service to conduct cyberespionage on journalists, human rights activists and others.

The suit filed in a California federal court contended that NSO Group tried to infect approximately 1,400 “target devices” with malicious software to steal valuable information from those using the messaging app.

WhatsApp head Will Cathcart said the lawsuit was filed after an investigation showed the Israeli firm’s role the cyberattack, despite its denials.

“NSO Group claims they responsibly serve governments, but we found more than 100 human rights defenders and journalists targeted in an attack last May. This abuse must be stopped,” Cathcart said on Twitter.

The lawsuit said the software developed by NSO known as Pegasus was designed to be remotely installed to hijack devices using the Android, iOS, and BlackBerry operating systems.

The complaint said the attackers “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code” to take over the devices.

“While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful,” Cathcart said in an opinion piece published in the Washington Post, noting that the investigation found internet-hosting services and accounts associated with NSO.

The suit calls on court to order NSO Group to stop any such attacks and asks for unspecified damages.

WhatsApp in May called on users to upgrade the application to plug a security hole that allowed for the injection of sophisticated malware that could be used for spying at the messaging app used by 1.5 billion people around the world. WhatsApp said its investigation traced a cyberespionage effort back to the Israeli technology firm NSO Group.

The malicious code was transmitted through WhatsApp servers from about April 29 to May 10, targeting devices of attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials, according to the complaint.

“A user would receive what appeared to be a video call, but this was not a normal call,” Cathcart said of the cyberattack.

“After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call.”

Fighting ‘crime and terror’

The NSO Group came to prominence in 2016 when researchers accused it of helping spy on an activist in the United Arab Emirates.

Its best-known product is Pegasus, a highly invasive tool that can reportedly switch on a target’s phone camera and microphone, and access data on it.

The firm has been adamant that it only licenses its software to governments for “fighting crime and terror” and that it investigates credible allegations of misuse, but activists argue the technology has been instead used for human rights abuses.

Danna Ingleton of Amnesty International said the results of the WhatsApp investigation “underscore that NSO Group continues to profit from its spyware products being used to intimidate, track, and punish scores of human rights defenders across the globe, including the Kingdom of Bahrain, the United Arab Emirates and Mexico.”

Ingleton said Amesty and other groups are seeking in the Israeli courts to block NSO from exporting the technology.

The WhatsApp lawsuit is not the only one directed at NSO. The company has been accused of targeting Omar Abdulaziz, who was a close associate of Jamal Khashoggi before the Washington Post journalist was murdered in the Saudi consulate in Istanbul last year.

NSO has said it reviews allegations of abuse by clients and that it reserves the right to strip customers of their licences.

The company was acquired earlier this year by a London-based private equity firm called Novalpina Capital, which in June said it would unveil new governance standards at the company.

NSO has in the past vigorously defended the use of its technology and surveillance software, which is known as Pegasus, as a law enforcement tool that could help prevent crime and terror attacks. Novalpina has credited NSO technology for disrupting plans for a terrorist attack at a crowded stadium in Europe and, citing the Mexican government, said it assisted in the 2011 arrest of the drug kingpin known as El Chapo.

WhatsApp Complaint in Federal Court

WhatsApp alleges that NSO Group deployed Pegasus, one of several spyware technologies developed and operated by the surveillance company, on 1,400 mobile devices operating the WhatsApp mobile application.

Pegasus and NSO Group Background

Pegasus is a remote-access Trojan that first appears on mobile devices as an innocuous communication. Before the spyware can infect the device, a mobile device user must install the spyware. However, this installation is often commenced inadvertently, sometimes even without the mobile device user’s input. For example, NSO Group has allegedly used spear-phishing—the process of targeting a specific user with a fraudulent email, message or link outfitted to appear as if it were from a reputable company—to achieve remote installation. Once a mobile user opens the sham message or clicks the link, Pegasus “surreptitiously” installs on the mobile device, ultimately giving NSO Group customers—both legitimate and malicious government actors—access to data contained on the target device.

According to WhatsApp, Pegasus could remotely extract data and intercept communications from a host of communications applications such as “iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp, and others.” WhatsApp suspects that Pegasus was “modular malware,” meaning it could be “customized” for multiple uses on the same phone. WhatsApp believes that this modularity enabled Pegasus to “intercept communications, capture screenshots, and exfiltrate browser history and contacts” from devices.

The suit claims that NSO Group facilitated and oversaw data extraction by its customers. The group achieved this by using a central network to update Pegasus spyware installed on various target devices, by sending data between target devices and NSO Group customers’ devices, and even by imposing caps on the number of devices its customers were permitted to infect with Pegasus.

WhatsApp’s Alleged Legal Injury

WhatsApp asserts that, between January 2018 and May 2019, NSO Group created several WhatsApp accounts that were then used to send “malicious code” to 1,400 target devices. According to WhatsApp, NSO Group was able to do this by “reverse-engineer[ing]” the WhatsApp application. This allowed NSO Group to emulate typical WhatsApp network traffic and pass this code undetected. This code was transmitted under the guise of a regular phone call, and, regardless of whether WhatsApp users answered the deceptive phone call or let it ring, the code was embedded in the receiving devices’ memories.

After this initial breach, NSO Group allegedly used WhatsApp servers to transmit encrypted data packets designed to trigger the extraction code on target devices. Once triggered, the code would connect to NSO Group servers, established for the purpose of downloading and installing malware onto the target devices. From that point forward, NSO Group and NSO Group customers had access to the data contained on these target devices.

Based on these facts, WhatsApp alleges four causes of action for legal remedy: the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the California Comprehensive Computer Data Access and Fraud Act, California Penal Code § 502; breach of contract; and trespass of chattel. NSO Group’s conduct, WhatsApp argues, “interfered with the WhatsApp Service[,]” “burdened” its “computer network[,]” and injured WhatsApp’s “reputation, public trust, and good will.”

Though NSO Group has previously been sued by individual victims of its spyware, WhatsApp’s lawsuit marks the first time NSO Group has been sued by a technology company whose users were targeted by the Israeli company. WhatsApp’s legal complaint ventures into new territory in data privacy litigation. If WhatsApp is successful in court, other technology companies may be similarly emboldened to pursue legal remedies against companies like NSO Group that are facilitating cyberattacks on mobile device users.

More Information