WhatsApp is the world’s most popular
communications software, with about 1.5 billion
users in 180 countries.
John Scott-Railton, a researcher with the
internet watchdog Citizen Lab, called the hack “a
very scary vulnerability” when it was discovered.
“There’s nothing a user could have done here,
short of not having the app.”
Citizen Lab subsequently volunteered to assist
Facebook in the investigation.
The lawsuit alleges that malicious code from
NSO was sent from April 29 through May 10 over
WhatsApp servers. The aim was to infect some
1,400 devices whose users included attorneys,
journalists, human rights activists, political
dissidents, diplomats and other government
officials. It said the targeted phone numbers
were in countries including Bahrain, United Arab
Emirates and Mexico.
NSO’s spyware has repeatedly been found
deployed to target such people. Most notably,
the spyware was implicated in the gruesome
killing of Saudi journalist Jamal Khashoggi,
who was dismembered in the Saudi consulate
in Istanbul last year and whose body has never
been found.
In the lawsuit, Facebook alleges that after it
publicly announced that it had identified and
closed the vulnerability an NSO employee
complained “You just closed our biggest remote
for celluar .... It’s on the news all over the world.”
The spyware did not directly affect the end-to-
end encryption that makes WhatsApp chats
and calls private. It merely used a bug in the
WhatsApp software as an infection vehicle.