- WhatsApp, a Facebook-owned messaging app used by more than 1.5 billion people around the world, recently found a major security flaw, the Financial Times reported.
- The hack is reportedly as simple as receiving a WhatsApp phone call, even if you don’t pick up the call. A record of the call can even be remotely erased, the report says.
- The WhatsApp exploit enables the installation of software from the NSO Group, a secretive firm from Israel that reportedly bills itself as a leader in cyberwarfare and is behind a notoriously invasive software tool called Pegasus.
- The NSO Group denied involvement in the WhatsApp exploit, though that doesn’t preclude the possibility that someone else used its products to exploit the WhatsApp security hole.
- Visit Business Insider’s homepage for more stories.
A security flaw in the massively popular WhatsApp messaging platform used by more than 1.5 billion people exposed users to software from NSO Group, the maker of one of the world’s most malicious spyware programs, called Pegasus.
The spy software enables remote access to your phone’s most private information, from text messages to call logs to location data.
Pegasus surfaced in 2016, when it was reportedly used to spy on a human-rights activist in the United Arab Emirates. In the years since, it’s been linked to the death of the Washington Post reporter Jamal Khashoggi, as well as the Mexican government’s capture of the drug trafficker Joaquín “El Chapo” Guzmán.
The NSO Group is notoriously secretive. The Israeli firm sells sophisticated hacking tools to governments, militaries, and intelligence agencies – and it tries to keep such a low profile that it even changes its name regularly.
Here’s everything we know about the secretive firm behind one of the world’s most effective spyware applications.
NSO Group was founded in late 2009 by serial entrepreneurs with ties to the Israeli government.
- CBS News/60 Minutes
Headquartered in Herzliya, Israel, NSO Group was founded in December 2009 by Omri Lavie and Shalev Hulio, according to their LinkedIn profiles, which show they are both serial entrepreneurs who had started several other companies in Israel.
A third founder, Niv Carmi, left the company shortly after its inception and left Lavie and Hulio as majority shareholders.
The San Francisco private-equity firm Francisco Partners acquired a majority stake in NSO Group for $120 million in 2014, though its operations remained in Israel.
Hulio said on his LinkedIn profile that he was a company commander with the Israel Defense Forces, while Lavie said he was an employee of the Israeli government.
At least three of its current employees claim to have worked in Unit 8200, Israel’s version of the US’s National Security Agency. Other NSO Group employees came from Mossad, Israel’s national intelligence agency.
The firm separated from Francisco Partners in early 2019; NSO Group is now owned and run by its original founders and management, in partnership with the European private-equity firm Novalpina Capital.
In an interview with “60 Minutes” in March, NSO Group’s cofounder and CEO, Shalev Hulio, said its technology had saved “ten of thousands of people.”
- CBS News/60 Minutes
“We are selling Pegasus in order to prevent crime and terror,” Hulio told “60 Minutes.”
He added: “Intelligence agencies came to us and say, ‘We do have a problem. With the new smartphones, we cannot longer get valuable intelligence.'”
The show said a European security official confirmed that NSO Group software had been used to thwart terrorist attacks in Europe.
In the same “60 Minutes” piece, Ron Deibert, who leads a human-rights watchdog group at the University of Toronto called Citizen Lab, warned of the potential misuse of those same tools by governments.
“This technology is being used by autocratic dictators who can mount global cyber-espionage operations simply by purchasing the technology,” Deibert said.
It’s hard to figure out what the company actually does — but its website offers some clues.
- NSO Group
The company describes what it does on its website as such:
“We develop technology that enables government intelligence and law enforcement agencies to prevent and investigate terrorism and crime. We provide the tools that support official authorities to lawfully address the most dangerous issues in today’s world. Governments use our products to prevent terrorism, break up criminal operations, find missing persons, and assist search and rescue teams.”
NSO employs more than 230 people, according to LinkedIn. That’s more than double its headcount two years ago.
The company’s specialty is “the field of cyber warfare.”
- Hyungwon Kang / Reuters
A brochure from the company uploaded online by Privacy International gives more insight into what it really does: offer mobile hacking solutions for a variety of phones, exclusively for the use of governments, law enforcement, and intelligence agencies.
The NSO Group brochure says it is “a leader in the field of cyber warfare” with its proprietary tool, called Pegasus, designed to monitor and extract all data from a target “via untraceable commands” allowing for “remote and stealth monitoring.”
Its software is purchased by governments all over the world for millions of dollars.
Its clients have reportedly included Panama and Mexico, though a person familiar with the company told The Wall Street Journal in 2014 that it does business all over the world. The Mexican government reportedly employed NSO Group technology to capture the drug trafficker Joaquín “El Chapo” Guzmán.
NSO received $8 million from Panama’s government for its Pegasus spy software, according to a Panamanian newspaper. And with research from Citizen Lab in 2016 documenting an attack on Ahmed Mansoor, a human-rights activist living in the United Arab Emirates, it’s likely that government has purchased the software as well.
The company’s annual earnings were approximately $75 million in 2015, according to Reuters.
NSO’s Pegasus spy tool transforms a variety of phones into mobile listening stations.
NSO demonstrated its mobile-phone hacks on BlackBerry, iPhone, and Android phones in 2013, according to leaked emails from a breach of Hacking Team, a competitor of the company based in Italy, published on WikiLeaks.
“Your smartphone today is the new walkie-talkie,” Lavie told the Financial Times that year. “Most of your typical solutions for interception are inadequate, so a new tool had to be built.”
Pegasus can infect a targeted phone in two ways, through SMS text messaging. Its “zero-click” vector allows an attacker to send a special SMS message to a target that causes the phone to automatically load a malicious link, while its “one-click” vector requires a user to click a link to infect their device, which happens in the background without a user ever knowing.
Once the device is infected, spies can actively record with its microphone or video camera, grab personal data like calendars, contacts, and passwords, or download all the data on the device, to include emails, photos, and browsing history.
“We’re a complete ghost,” Lavie told Defense News in 2013. “We’re totally transparent to the target, and we leave no traces.”
There’s speculation that Jeff Bezos’ phone was hacked using tools very similar to those created by NSO.
- Drew Angerer/Getty Images
The Amazon CEO’s phone was famously hacked earlier this year, exposing intimate texts and pictures he exchanged with Lauren Sanchez, the woman with whom he was having an affair.
In a March op-ed article in The Daily Beast, Bezos’ security consultant said his team concluded that Saudi Arabia “had access to Bezos’ phone and gained private information.”
He stopped short of asserting how Saudi Arabia might have accessed Bezos’ phone, but he linked to a New York Times article on “internet mercenaries” including NSO Group, DarkMatter, and Black Cube.
The WhatsApp exploit reportedly enabled NSO Group’s Pegasus software to be installed on iPhone and Android smartphones through a WhatsApp phone call.
The Financial Times reported on Monday that through a WhatsApp exploit, malicious actors could install NSO Group’s software simply by calling their target in WhatsApp.
The phone call didn’t need to be picked up, and a call log could even be remotely erased after the fact, the report said. If successful, the target’s phone data could be accessed – everything from call logs to location data. It’s unclear how many phones were targeted.
The NSO Group denied involvement in the WhatsApp exploit, though that doesn’t preclude the possibility that someone else used its products to exploit the WhatsApp security hole.
A WhatsApp representative told the FT that the attack “has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems.”
A separate statement from a WhatsApp representative sent to Business Insider encouraged WhatsApp users to update to the latest version of the app that patched the flaw:
“WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices. We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
Paul Szoldra contributed to a previous version of this report.