This spring, a team of engineers at WhatsApp detected a series of suspicious calls on the messaging service’s networks, many of them emanating from phone numbers in Sweden, the Netherlands, Israel, and other countries. At first, WhatsApp wasn’t sure what was happening. Then the engineers, working with their counterparts at Facebook, which owns WhatsApp, realized that the voice and video calls were somehow infecting targeted phones with advanced spyware, using a penetration method that the company had never encountered before. Most disturbing to the investigators was that it appeared many of the targeted phones became infected whether the calls were answered or not—what’s known as a zero-click vulnerability.
The malware then instructed the targeted phones to upload their content to servers owned by Amazon Web Services and other companies, where the stolen data was stored and could be accessed by the intruders. After the malware was loaded on some of the targeted phones, the call logs were wiped. Victims who heard their phones ringing overnight found no evidence of the calls in the morning.
On May 13th, WhatsApp announced that it had discovered the vulnerability. In a statement, the company said that the spyware appeared to be the work of a commercial entity, but it did not identify the perpetrator by name. WhatsApp patched the vulnerability and, as part of its investigation, identified more than fourteen hundred phone numbers that the malware had targeted. In most cases, WhatsApp had no idea whom the numbers belonged to, because of the company’s privacy and data-retention rules. So WhatsApp gave the list of phone numbers to the Citizen Lab, a research laboratory at the University of Toronto’s Munk School of Global Affairs, where a team of cyber experts tried to determine whether any of the numbers belonged to civil-society members.
On Tuesday, WhatsApp took the extraordinary step of announcing that it had traced the malware back to NSO Group, a spyware-maker based in Israel, and filed a lawsuit against the company—and also its parent, Q Cyber Technologies—in a Northern California court, accusing it of “unlawful access and use” of WhatsApp computers. According to the lawsuit, NSO Group developed the malware in order to access messages and other communications after they were decrypted on targeted devices, allowing intruders to bypass WhatsApp’s encryption.
The lawsuit also details how NSO Group may have planned the attack, noting that the company had created a series of WhatsApp accounts that were used to initiate the calls which injected the spyware onto the victims’ phones. An NSO Group employee appeared to reach out directly to someone involved in patching the WhatsApp vulnerability after it was disclosed, writing, “You just closed our biggest remote for cellular. . . . It’s on the news all over the world,” according to the lawsuit.
Our IP Address: