WhatsApp is taking what some are calling an “unprecedented” step. They are suing a company for making and selling malware used to spy on activists and journalists.
The malware industry is arguably one of the shadier industry’s on the Internet. For most people, their activities are typically shrouded in mystery. They tend to only work with governments and corporate interests who tend to not have human rights less than top of mind. For many, all they see is the end results of their work if at all. This tends to end with reformatting devices or worse.
Generally speaking, holding these companies accountable is a pretty hit and miss thing. Sometimes, the companies simply say that producing the malware isn’t criminal. Some even boast that their clients use the malware to “catch the bad guys” as a means of justifying their activities. Of course, finding out who these clients are is easier said than done. For some, these clients tend to be third world country dictators targeting activists and journalists. Even if a crime is traced back to a specific country, often, that company is overseas and holding them to account often ends up being more trouble than its worth.
So, for many in this dark industry, they can continue operating without fear of repercussions. That is, more or less, until now.
The makers of WhatsApp have now taken what is being described as “unprecedented” action recently. They say they are suing a company for the sale of malware that targeted their devices. From The Guardian:
More than a dozen pro-democracy activists, journalists and academics have spoken out after WhatsApp privately warned them they had allegedly been the victims of cyber-attacks designed to secretly infiltrate their mobile phones.
The individuals received alerts saying they were among more than 100 human rights campaigners whose phones were believed to have been hacked using malware sold by NSO Group, an Israeli cyberweapons company.
WhatsApp launched an unprecedented lawsuit against the surveillance company earlier this week, claiming it had discovered more than 1,400 of its users were targeted by NSO technology in a two-week period in May.
Filed in a Californian court, the lawsuit described the alleged attacks as an “unmistakeable pattern of abuse” that violated US law.
Two pro-democracy campaigners from Morocco who received the WhatsApp warnings said any use of the sophisticated malware, known as Pegasus, against them would be a serious violation of their rights.
“I am a big proponent of democratisation in the Middle East in general and in Morocco in particular,” said Aboubakr Jamaï, a campaigner and former journalist who lives in France. “The Moroccan regime is certainly less nefarious than, say, the Syrian regime, but it’s nonetheless an authoritarian regime who can use some despicable means against its opponents, as it did.”
Naked Security went into further detail about what this malware was capable of doing:
The lawsuit specifically refers to NSO Group’s notorious Pegasus – a type of spyware known as a remote access Trojan (RAT).
Pegasus enables governments to send a personalized text message with an infected link to a blank page. Click on it, whether it be on an iOS or Android phone, and the software gains full control over the targeted device, monitoring all messaging, contacts and calendars, and possibly even turning on microphones and cameras for surveillance purposes.
According to the lawsuit, NSO couldn’t get its spyware past WhatsApp encryption. In order to hack the messaging app, NSO created a Pegasus version that didn’t require that targets be spearphished with a rigged link.
Rather, NSO allegedly formatted call initiation messages containing malicious code to make the calls look legitimate, as if the calls originated from its signaling servers. By concealing the code within call settings, NSO allegedly used WhatsApp’s own servers – relay and signaling – to route the company’s spyware.
The report goes on to describe how the malware would be used to target activists and journalists. Some of those who had their devices infected by the malware would go on to face assassination attempts and threats of violence.
Of course, one of the problems that this lawsuit could run into is a matter of jurisdiction. NSO Group is an Israeli cyberweapons company. The lawsuit is being filed in California. So, even if WhatsApp gets a guilty verdict, the question then becomes, how can such a verdict be enforced? If, for instance, prison sentences are handed down, would Israel actually comply with that and issue an arrest warrant or will they just ignore it?
What will be interesting to see is where this whole thing will go to begin with. Certainly, holding malware companies accountable will get a lot of support. Whether or not the US justice system can reach this company is another thing entirely.
Drew Wilson on Twitter: @icecube85 and Facebook.