WhatsApp has filed a suit against Israeli Technology firm NSO Group for allegedly hacking at least 1400 accounts by means of installing malware in users’ mobile phones.
According to Will Cathcart, Head of WhatsApp, NSO Group launched the cyber attacks by exploiting a vulnerability in WhatsApp’s video-calling feature. The vulnerability was identified and blocked in May.
“A user would receive what appeared to be a video call, but this was not a normal call. After the phone rang, the attacker secretly transmitted malicious code in an effort to infect the victim’s phone with spyware. The person did not even have to answer the call, ” said Cathcart.
Interestingly, according to Cathcart, investigations revealed that the attackers targeted at least 100 human-rights defenders, journalists and other members of civil society across the world.
WhatsApp’s investigations revealed that the attackers used servers and Internet-hosting services that were previously associated with NSO Group.
The complaint said the attackers “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code” to take over the devices.
“We have tied certain WhatsApp accounts used during the attacks back to NSO. While their attack was highly sophisticated, their attempts to cover their tracks were not entirely successful, ” he added.
Cathcart said despite WhatsApp using the end-to-end encryption technology to protect the privacy of its users some companies like NSO are hunting for workarounds – by implanting spyware directly onto devices.
“The attack we saw provides several urgent lessons, ” he says.
“Democracies depend on strong independent journalism and civil society, and intentionally weakening security puts these institutions at risk. And we all want to protect our personal information and private conversations. That’s why we will continue to oppose calls from governments to weaken end-to-end encryption.”
NSO Group has, however, denied the claims saying it would fight them in court.
“In the strongest possible terms, we dispute today’s allegations and will vigorously fight them,” the company said in a statement.
“The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime.”
The company came into limelight in 2016 when researchers accused it of helping spy on activist in the United Arab Emirates.
To make the world a better place, Cathcart said there is a need for companies to uphold integrity.
Companies simply should not launch cyberattacks against other companies. Responsible actors report vulnerabilities when they are found; they do not use their technology to exploit those vulnerabilities. Likewise, companies should not sell services to others engaged in such attacks.
He called on the governments to do more to protect its citizens from privacy-related cyber attacks.
“The mobile phone is the primary computer for billions of people around the world. It is how we have our most private conversations and where we store our most sensitive information. Governments and companies need to do more to protect vulnerable groups and individuals from these attacks. WhatsApp will continue to do everything we can within our code, and within the courts of law, to help protect the privacy and security of our users everywhere, ” he added.