WhatsApp has just pushed a significant update to its 1.5 billion users. That’s because the messaging service has discovered a security flaw that enabled attackers to remotely install spyware, possibly without the target of the surveillance even being aware of it.
A “select” group of users were targeted by an “advanced cyber actor,” the company said. So who might have been responsible? “The attack has all the hallmarks of a private company reportedly that works with governments to deliver spyware that takes over the functions of mobile phone operating systems,” the company said.
To anyone immersed in the murky world of cybersecurity and surveillance, it was pretty clear who WhatsApp was referring to. A source familiar with the investigation tied the spyware to an Israeli-based security developer called NSO Group.
What is NSO Group?
NSO is a multi-million-dollar Israeli tech firm that specializes in cyber-surveillance tools. Appropriately for the sphere in which it works, the company prefers to work in the shadows. Its executives rarely talk to the media and it does not say very much about its clients.
Its flagship product is Pegasus, a powerful piece of malware designed to track a user’s cellphone. The software is able to infect a device after a single click on a link in a fake text message, which then grants complete access to the phone. Data stored on the phone – messages, phone calls and even GPS location data – are visible, allowing NSO’s clients to see where someone is, who they are talking to, and about what.
NSO Group told CNN on Monday that its technology was licensed only to government agencies, and “for the sole purpose of fighting crime and terror.” The company has no role in identifying the targets of its technology, “which is solely operated by intelligence and law enforcement agencies,” it said in a statement.
Who uses the NSO Group’s spyware?
Up to 45 countries use NSO’s Pegasus technology, according to researchers with the Toronto-based Citizen Lab, an academic security research group that investigates digital threats to civil society groups and online freedom of expression.
At least six of those countries – Saudi Arabia, the United Arab Emirates, Bahrain, Mexico, Morocco and Kazakhstan – “have previously been linked to abusive use of spyware to target civil society,” Citizen Lab noted in a report in September.
Shalev Hulio, the CEO of NSO Group, said earlier this year that his company only sells its products to government agencies. “All sales are authorized by Israel’s Defense Ministry and are only made to states and their police and law enforcement organizations” and “only for use fighting terrorism and crime,” Hulio told Yedioth Ahronoth, one of Israel’s largest newspapers.
Hulio defended the firm’s technology, and said that if clients were found to be abusing the software, NSO group could disconnect it – and had done so three times in the past, though he declined to identify who the customers were.
“I will say with modesty that thousands of people in Europe owe their lives to the hundreds of workers [we have] in Herzliya,” Hulio said, referring to the Israeli town where the company is based. “I reiterate that any use [of our technology] that goes beyond the criteria of saving human lives at risk from crime or terror will prompt our company to take immediate steps, unequivocally and decisively.”
But cyber security expert Michael Shaulov told CNN that once the software was sold to a country, NSO Group had little control over what it was used for.
“Even when [NSO Group sells] the software to specifically the law enforcement agency that specifically bought it, in the case that those guys want to go after what we call illegitimate targets, NSO has no control [over it],” Shaulov said. “They cannot really prevent it.”
The firm attracted attention in the aftermath of the murder of Jamal Khashoggi last year, when a friend of the Washington Post journalist claimed that their conversations had been intercepted by Saudi authorities using spyware created by NSO Group.
Omar Abdulaziz, a Montreal-based activist, had been communicating with Khashoggi via WhatsApp in the year before the journalist was killed at the Saudi consulate in Istanbul last October. In their private messages, Khashoggi was far more critical of Saudi Arabia than he was in public.
Abdulaziz is suing NSO Group, accusing it of violating international law by selling its software to oppressive regimes. Researchers at Citizen Lab believe Abdulaziz’s phone was targeted with military-grade spyware developed by NSO Group. “The hacking of my phone played a major role in what happened to Jamal, I am really sorry to say,” Abdelaziz told CNN in December. “The guilt is killing me.”
The company has denied any involvement in the tracking of the Saudi journalist or his killing.
Well before Khashoggi’s death, there have been accusations that its technolgy has been used to target journalists and human rights workers. Citizen Lab identified the use of NSO Group spyware in 2016 when it said governments had been able to use fake domains in attempts to disguise themselves as legitimate groups like the Red Cross, news organizations, and large tech companies. At the time, NSO said that it required its clients only to use its tools to combat crime.
More recently, Citizen Lab said that two other Saudi dissidents were targeted using NSO tools. One was an activist called Yahya Assiri and the other was a staff member who had been involved in Amnesty International’s work on Saudi Arabia. An Amnesty deputy program director confirmed its technology experts studied the phone in question and found it contained spyware.
Pegasus has put NSO at the center of a series of lawsuits that allege violations of international law.
On Tuesday, Amnesty International launched a legal move in Israel that seeks to have NSO Group’s export license revoked. The petition, filed at the District Court of Tel Aviv, argues that by allowing NSO Group to continue selling Pegasus, and thereby threaten the rights to privacy and to freedom of opinion and expression, Israel is in breach of its obligations under human rights law.
In its response to the lawsuit, NSO said that it “operates according to the law and adheres to a clear ethical policy that is meant to prevent misuse of its technology,” according to a statement reported by the Jerusalem Post.
“NSO only licenses its technology to approved government intelligence and law enforcement agencies for the sole purpose of preventing and fighting crime and terror, according to clear definitions,” it said.
Separately, NSO Group flatly rejected Abdulaziz’s allegations in December as “completely unfounded.”
How to update your device
Unlike previous vulnerabilities, this latest attack does not discriminate between types of devices. WhatsApp has released a patch, which is available in an upgrade.
If you’re an Apple user, open the App Store on your device and tap open the “Updates” tab along the bottom of the screen. If your version of WhatsApp needs to be updated, you will see it listed in the “Pending” list at the top.
On devices running Android, updating is pretty similar. Go to the Google Play Store on your phone and find “My apps & games” in the menu. Find WhatsApp in the “Updates pending” list.
CNN’s Donie O’Sullivan and Heather Kelly contributed to this report. CNN’s Andrew Carey, Michael Schwartz and Hadas Gold also contributed from Jerusalem.