Court Rules NSO Group Guilty in WhatsApp Pegasus Spyware Case

• Israeli vendor NSO Group was found guilty of distributing Pegasus spyware via WhatsApp.
• The court ruled NSO violated WhatsApp's terms of service by using the platform for malicious purposes and reverse engineering.
• Meta announced the decision could be seen as a landmark win for user privacy worldwide.

Meta-owned WhatsApp has secured a significant legal victory against Israeli spyware vendor NSO Group. A U.S. federal court in California ruled that NSO Group exploited a security vulnerability in WhatsApp to deliver its Pegasus spyware, violating the platform’s terms of service and evidencing malicious intent.  

The court said NSO’s Pegasus spyware was transmitted via WhatsApp’s California-based servers 43 times during May 2019. It criticized NSO Group for "repeatedly failing to produce relevant discovery and disobeying court orders," particularly by restricting access to crucial pieces of code and limiting cooperation to Israeli citizens within Israel's jurisdiction.  

NSO refused to provide the entire Pegasus source code, offering only documentation linked to an Amazon Web Services (AWS) server. WhatsApp maintained that the limited codebase withheld critical insights into the spyware’s broader functionality.  

The court further held NSO Group liable for breach of contract, stating that its actions violated WhatsApp's terms of service by using the platform for malicious purposes and undertaking prohibited reverse engineering of the app. The case will now proceed to trial to determine damages.  

WhatsApp initially filed its complaint against NSO Group in late 2019, accusing the company of exploiting a zero-day vulnerability (CVE-2019-3568, CVSS score: 9.8) in WhatsApp's voice calling feature. This exploit allowed Pegasus spyware to infiltrate user devices without user interaction. 

The attack was linked to at least 1,400 device breaches worldwide. Court documents disclosed last month revealed that NSO continued using WhatsApp to deploy Pegasus until May 2020, further cementing the allegations of sustained exploitation.

NSO Group has maintained that its Pegasus spyware is exclusively designed for lawful purposes, intended for government and law enforcement agencies to fight serious crimes, including terrorism, child exploitation, and human trafficking.  

Recently, Apple issued a new set of warnings on spyware attacks for its iPhone users in 98 countries worldwide, including India, comparing these to the Israeli NSO Group’s Pegasus spyware, which exploited an iMessage zero-day a few years ago.