Pegasus Spyware Found to Have Violated Hacking Laws in WhatsApp Lawsuit

by | Dec 31, 2024

The row about NSO Group’s Pegasus spyware that began in 2021 has already resulted in a ban and blacklisting from the United States, but the company is now in further legal trouble. Meta has prevailed in a long-running lawsuit centered on the group’s use of WhatsApp to deliver its malware, and the judge is not only awarding damages but has found that both state and federal hacking laws were violated.

Prior to the infamous zero-day text messaging flaws that the Pegasus spyware exploited in iOS and Android, one of its delivery methods was to exploit a bug in WhatsApp to deliver malware to targets. The company filed a complaint in 2019 after finding that NSO Group had infected some 1,400 of its users this way in a span of about two weeks. The decision chips away at the spyware firm’s long-standing defense that while it attempts to screen clients for legitimate law enforcement purposes, it ultimately cannot be held liable for what they do with the software.

NSO Group can be held liable for client Pegasus spyware use in US courts

WhatsApp first brought action against NSO Group in May 2019, but the court documents show that the company continued to use the messaging platform to deliver its Pegasus spyware into May 2020. Pegasus usually hinges on one or two novel zero-day tricks of this sort that it exploits for up to several years, until they are discovered and patched; the company then moves on to the next trick.

NSO Group claims that it only sells the Pegasus spyware to non-authoritarian governments that demonstrate legitimate law enforcement or terrorism investigation use, and that it does not directly participate in any client hacking of their targets. The first part of that has been disproven since the Pegasus Papers came out in 2021, and a growing body of evidence indicates the second part is not true either. The US court system now views the company as an active participant in “installing and extracting” files from target devices, at least in terms of how the WhatsApp hack was applied.

Damages from Pegasus spyware to be assessed

The case took over five years to wind through the courts in part because of a lengthy appeals process, and in part because of stalling by NSO Group after being ordered to deliver its source code to Meta for inspection. The Israel-based company first tried to claim that it legally qualified as a foreign agent conducting official foreign business in the US, which would have given it protection under federal law. That claim was rejected by a trial judge, then a district court, and then eventually the Supreme Court before being sent back down a level to proceed.

That process took nearly four years in total, and then NSO Group spent 2024 attempting to duck and dodge orders to provide WhatsApp with the source code it had used. The company tried to make it viewable only to a citizen of Israel located physically in that country at the time, something the judge took the company to task for.

The judge ultimately determined that the Pegasus spyware exceeded its legal level of access to WhatsApp servers, placing it in violation of both the US Computer Fraud and Abuse Act and California’s similar state law. NSO Group will have to pay damages to Meta, to be determined by a separate trial slated to start in March.

Recent Posts

How can we help?

7 + 15 =

× How can I help you?