SoylentNews

Arthur T Knackerbracket has found the following story:

Facebook and its WhatsApp messenger division on Tuesday sued Israel-based spyware maker NSO Group. This is an unprecedented legal action that takes aim at the unregulated industry that sells sophisticated malware services to governments around the world. NSO vigorously denied the allegations.

Over an 11-day span in late April and early May, the suit alleges, NSO targeted about 1,400 mobile phones that belonged to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. To infect the targets with NSO's advanced and full-featured spyware, the company exploited a critical WhatsApp vulnerability that worked against both iOS and Android devices. The clickless exploit was delivered when attackers made a video call. Targets need not have answered the call or taken any other action to be infected.

According to the complaint, NSO created WhatsApp accounts starting in January 2018 that initiated calls through WhatsApp servers and injected malicious code into the memory of targeted devices. The targeted phones would then use WhatsApp servers to connect to malicious servers allegedly maintained by NSO. The complaint, filed in federal court for the Northern District of California, stated:

In order to compromise the Target Devices, Defendants routed and caused to be routed malicious code through Plaintiffs' servers—including Signaling Servers and Relay Servers—concealed within part of the normal network protocol. WhatsApp's Signaling Servers facilitated the initiation of calls between different devices using the WhatsApp Service. WhatsApp's Relay Servers facilitated certain data transmissions over the WhatsApp Service. Defendants were not authorized to use Plaintiffs' servers in this manner.

Between approximately April and May 2019, Defendants used and caused to be used, without authorization, WhatsApp Signaling Servers, in an effort to compromise Target Devices. To avoid the technical restrictions built into WhatsApp Signaling Servers, Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings. Disguising the malicious code as call settings enabled Defendants to deliver it to the Target Device and made the malicious code appear as if it originated from WhatsApp Signaling Servers. Once Defendants' calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.

[...] Critics of the spyware industry have long said that NSO and its competitors sell products and services to oppressive governments that use them to target attorneys, journalists, human-rights advocates, and other groups that pose no legitimate threat. Citizen Lab, a University of Toronto research group that tracks hacking campaigns sponsored by governments, volunteered to help Facebook and WhatsApp investigate the attacks on its users. Citizen Lab said among those targeted in the campaign were 100 members of "civil society" from 20 countries.

Besides Facebook and WhatsApp apps and servers, NSO allegedly used servers owned by Amazon Web Services and smaller hosts Choopa and Quadrant. The leased servers connected targeted devices to a network of remote servers that were designed to distribute malware and send commands to devices once they were infected. Tuesday's complaint said that an IP address assigned to one of the malicious servers was previously used by a subdomain operated by NSO.

Now that Facebook and WhatsApp have taken the unprecedented step of suing a spyware provider for using its servers to target its users, it will be interesting to see if Amazon and the other server hosts mentioned in the complaint follow suit. So far, they haven't responded to emails seeking comment.

Original Submission