The New York Times says NSO Group, the Israeli spyware maker at the center of years of controversy, now has to pay over $167 million in damages to Meta, the company behind WhatsApp. That ruling wraps up a six-year legal fight that began when NSO"s Pegasus spyware was used to target about 1,400 WhatsApp users, including journalists, activists, and government officials.
It all started in 2019, when NSO Group exploited a serious flaw in WhatsApp"s code. The vulnerability was hidden in how the app handled voice and video calls. Attackers could place a call to someone, and even if the person didn"t answer, Pegasus could quietly install itself on the device. No taps, no links, no downloads. Just a missed call, and the spyware was in. It was what"s known as a zero-click attack. Victims usually had no idea, and sometimes the app would crash or call logs would be wiped remotely. WhatsApp moved quickly to fix the issue in May 2019, pushed an update, and notified those affected.
By December of that year, WhatsApp took NSO Group to court, accusing it of gaining unauthorized access to its servers. After a long legal battle, U.S. District Judge Phyllis Hamilton ruled in late 2023 that NSO had broken cybersecurity laws. With the damages now finalized, the case has finally reached its conclusion. This ruling specifically covered the use of Pegasus to target phones with WhatsApp installed in 20 countries.
Meta formally sought damages from NSO Group in March, leading to arguments about potential penalties presented to a jury just last week. After two days of deliberation, the jury delivered its verdict on Tuesday, awarding the over $167 million in damages.
Will Cathcart, the head of WhatsApp, commented on the outcome:
The jury"s verdict today to punish NSO is a critical deterrent to the spyware industry against their illegal acts aimed at American companies and our users worldwide. This is an industrywide threat, and it"ll take all of us to defend against it.
WhatsApp has stated that it plans to donate the awarded damages to digital rights organizations dedicated to defending people targeted by such technology.
Meanwhile, NSO Group"s vice president for global communication, Gil Lainer, indicated the company is not ready to give up:
We will carefully examine the verdict"s details and pursue appropriate legal remedies, including further proceedings and an appeal.
He also reiterated NSO Group"s long-standing argument, stating:
We firmly believe that our technology plays a critical role in preventing serious crime and terrorism and is deployed responsibly by authorized government agencies.
The trial provided some interesting insights into how NSO Group operates. Executives from the company testified in court for the first time, shedding more light on Pegasus"s capabilities. Beyond the 2019 WhatsApp call exploit, evidence presented during the trial showed that newer versions of NSO Group"s technology have evolved, capable of hacking into a phone simply through a sent text message, still requiring no action from the receiver. The trial also revealed that NSO Group had developed technology capable of hacking into other messaging applications beyond WhatsApp.
If you"ve been following Neowin for a while, NSO Group should sound familiar. This isn"t the first time the company has been caught in serious trouble. In November 2021, Apple filed a lawsuit against NSO for hacking iPhones and spying on users. That case did not last long, as Apple quietly dropped it in September last year. The U.S. Commerce Department also took action in 2021 by blacklisting NSO Group and placing it on its Entity List. The department said NSO"s activities were a threat to national security and ran counter to U.S. foreign policy interests.
John Scott-Railton, a senior researcher at Citizen Lab, a cybersecurity group that helped WhatsApp alert users who were targeted, said NSO"s business relies on hacking American tech companies and providing authoritarian governments with tools to track dissidents. He said the verdict sends a strong message that these practices will not be tolerated.
Source: The New York Times