WhatsApp Sues NSO for Exploiting a Zero Day that Compromised 1400 Users

By Bill Toulas / October 30, 2019

Israeli spyware services provider NSO has just received a lawsuit from WhatsApp accusing them of breaking into the devices of about 1400 users through an undisclosed zero-day flaw that plagued its software. NSO is known for helping oppressive governments track individuals of particular interest. This includes journalists, activists, leaders of all kinds of minorities, and generally people who are opposing the local regimes with their words and actions. We recently saw how the U.S. Drug Enforcement Administration tried to buy spyware tools from them, and how the public felt appalled by the news.

The Facebook company has submitted the lawsuit in the federal court of San Francisco, involving the governments of the United Arab Emirates, Bahrain, Mexico, and another 17 countries. Allegedly, the NSO used a WhatsApp vulnerability that the messaging app engineers weren’t aware of, and took over hundreds of devices of victims. In the victim list, there are about a hundred civil society members, which WhatApp’s lawyers call “an unmistakable pattern of abuse”.

NSO flatly denied the accusations, saying that they will dispute and vigorously fight them on the court. As NSO points out, they only license their products and offer their services in the context of fighting terrorism and serious crime, not track the actions of citizens who are merely against the government. Still, though, we have seen that this is not always the case, as there have been cases of almost indiscriminate mass surveillance that involved NSO’s tools.

WhatsApp claims that the attack took advantage of a bug in the video calling system of the application, finding a door to drop malware to the target devices. This was a spying malware that was exfiltrating data to the associated governments and intelligence organizations. For this, WhatsApp is asking for damages and the barring of NSO from all Facebook products.

The messaging app knows all that thanks to the cybersecurity research laboratory at the University of Toronto, who worked with them in the investigation. According to them, the targets that they can confirm include well-known television personalities and prominent women who were on the receiving end of online hate campaigns. However, no names have been disclosed yet, so this is about to get very interesting soon. Moreover, this lawsuit opens up the door to other applications, who may sue NSO on the same basis, and who are now having a great interest in this otherwise, unprecedented case.

Do you believe this lawsuit stands any chance on the court, or is this an effort made in vain? Let us know what you think in the comments down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: