In September, WhatsApp told govt 121 individuals affected by Pegasus spyware
New Delhi: In September, almost four months after it first informed government agencies about the vulnerability in its service, WhatsApp informed Indian authorities that 121 individuals were compromised by the NSO 'spyware', sources in the Facebook-owned company said. The Indian Express could not independently verify the number, though it is learnt that the number has not changed since.
On Thursday, The Indian Express had reported that journalists and human rights activists in India were among the 1400 targets of surveillance by operators using Israeli firm NSO's spyware Pegasus. After the Indian government sought an explanation, on Friday, WhatsApp responded to the government again and explained its lawsuit in a California court.
As per the Cert-In website, the nodal agency has been mandated to, among other things, "forecast and alert of cyber security incidents", come up with "emergency measures for handling" such incidents and issue "guidelines and advisories" when needed. The homepage of the site itself lists vulnerabilities in everything from Apple's iOS to Microsoft Windows.
In its lawsuit filed in the Northern District of California courts on October 29 against the NSO Group Technologies Limited and Q Cyber Technologies Limited, WhatsApp had claimed that in and around April 2019 and May 2019, the "defendants used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices" for surveillance. The suit claimed since the NSO was "unable to break WhatsApp's end-to-end encryption", they "developed their malware in order to access messages and other communications after they were decrypted on Target Devices".
Sources in WhatsApp said that while the vulnerability in its product was the entry point for the attack, "for an SOS malware to be affected, it needs to take advantage of multiple vulnerabilities in the phone". "It needs a starting point, and we've acknowledged that in this case happened through our voice calling."
The lawsuit claims the "Defendants set up various computer infrastructure, including WhatsApp accounts and remote servers" and then "used WhatsApp accounts to initiate calls through Plaintiffs' servers that were designed to secretly inject malicious code onto Target Devices". It then "caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the "remote servers")".
The lawsuit claims the between January 2018 and May 2019, NSO created WhatsApp accounts "using telephone numbers registered in different counties, including Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands". They also "leased and caused to be leased servers and internet hosting services in different countries, including the United States, in order to connect the Target Devices to a network of remote servers intended to distribute malware and relay commands to the Target Devices". WhatsApp claimed these servers were owned by Choopa, Quadranet and Amazon Web Services, among others. "The IP address of one of the malicious servers was previously associated with subdomains used by Defendants."
As per WhatsApp, NSO "reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers". "To avoid the technical restrictions built into WhatsApp Signaling Servers," the lawsuit claimed, "Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings… Once Defendants' calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call."
(Inputs from The Indian Express)