Over 1,400 WhatsApp Users Hacked with Pegasus Spyware

It has come to light that the Israeli company NSO Group, known for developing surveillance software including the infamous Pegasus, used several 0-day exploits to target WhatsApp users. Among these was a previously unknown exploit called Erised, which leveraged vulnerabilities to deploy Pegasus spyware.

To recap, Pegasus is a surveillance platform developed by NSO Group. Marketed as a legal spyware tool, Pegasus is used for espionage and surveillance worldwide. Through Pegasus, NSO Group’s clients can collect text messages, app data, eavesdrop on calls, track locations, steal passwords, and more from both iOS and Android devices.

Several years ago, we published a dedicated article about Pegasus and NSO Group after public attention was drawn to the misuse of this commercial spyware.

Back in 2019, WhatsApp representatives filed a lawsuit against NSO Group, accusing the company of facilitating cyberattacks on behalf of various governments in 20 countries, including Mexico, the UAE, and Bahrain.

This legal battle is ongoing, and just a few days ago, some very interesting and unedited court documents became public.

How the Attacks Worked

According to these documents, up until around April 2018, NSO Group used a custom WhatsApp client (WhatsApp Installation Server or WIS) and a proprietary exploit called Heaven. This exploit could impersonate the official WhatsApp client and was used to install Pegasus on devices from a third-party server controlled by NSO.

“WIS could impersonate the official client to access WhatsApp servers and transmit messages, including call settings, which the legitimate client could not do,” the documents state. “NSO began testing Heaven on WhatsApp servers around April 2018 and soon after started providing it to its clients.”

After WhatsApp developers discovered the issue and blocked NSO Group’s access to infected devices and servers with patches released in September and December 2018, the Heaven exploit stopped working.

Then, in February 2019, NSO Group created a new exploit—Eden—to bypass WhatsApp’s new security measures. In May 2019, WhatsApp representatives found that Eden had been used by NSO Group clients to attack about 1,400 user devices.

The court documents confirm that NSO Group admitted to developing and selling this spyware. The zero-click installation vector, called Eden (part of a set of vectors targeting WhatsApp known as Hummingbird), was indeed used in attacks.

Specifically, NSO Group’s R&G department head Tamir Gazneli and other defendants “admitted to developing these exploits by extracting and decompiling WhatsApp code and reverse engineering it.” All of this was used to create the WIS client, which could “send malicious messages through WhatsApp servers (which the legitimate WhatsApp client could not send), thereby forcing target devices to install the Pegasus spyware agent.”

After discovering these attacks, WhatsApp developers patched the vulnerabilities exploited by Eden and disabled NSO Group’s WhatsApp accounts.

New Exploits and Ongoing Legal Battle

Even after these exploits were exposed and Eden was blocked in May 2019, and after WhatsApp took legal action, NSO Group created yet another installation vector for its spyware, named Erised. This exploit used WhatsApp relay servers to deploy Pegasus.

According to court documents, Erised was only blocked in May 2020, when the lawsuit between WhatsApp and NSO Group was already in full swing. NSO Group refused to answer in court whether it had developed any other vectors for delivering its malware through WhatsApp.

However, in court, the spyware maker admitted that Pegasus had abused the WhatsApp service to install spyware on “hundreds to tens of thousands” of target devices.

The company also admitted to reverse engineering WhatsApp to develop these attack methods and provided both the technology and WhatsApp accounts to its clients for use in these operations.

How Pegasus Was Deployed

The spyware installation process began when a Pegasus operator entered the victim’s phone number into a field in the program running on their laptop. This triggered a remote and fully automated deployment of Pegasus on the target device.

Contrary to NSO Group’s previous statements, client involvement in the attacks was minimal. All they had to do was enter the victim’s phone number and click “Install.” The spyware deployment and data extraction were handled automatically by Pegasus and NSO, requiring no technical knowledge or further action from the clients.

Despite this, NSO Group continues to claim it is not responsible for its clients’ actions and does not have access to the data obtained through Pegasus, allegedly minimizing the company’s role in surveillance operations.

“NSO continues to stand by its previous statements, in which we have repeatedly said that the system is operated exclusively by our clients, and neither NSO nor its employees have access to the collected information,” Gil Lainer, NSO Group’s Vice President of Global Communications, told the media. “We are confident that we will defend these and many other claims made in the past in court, and we look forward to this opportunity.”