WhatsApp will have access to the code of Pegasus, NSO's spyware

A US court has ordered the Israeli company NSO hand over spyware code Pegasus to WhatsApp as part of the judicial process that confronts both companies. WhatsApp sued NSO in 2019 after discovering that Pegasus had been used against 1,400 Meta app users over a two-week period, but Judge Phyllis Hamilton's decision goes further. NSO must provide “all relevant spyware” from April 29, 2018 to May 10, 2020as well as information “on the full functionality of the relevant spyware.”

“The recent court ruling is an important milestone in our long-term goal of protecting WhatsApp users against illegal attacks. Spyware companies and other malicious actors must understand They can be caught and will not be able to ignore the law“A WhatsApp spokesperson told The Guardian.

NSO asked the judge to exempt it from this decision, arguing that it is subject to “several US and Israeli restrictions.” With her decision, Hamilton has sided with WhatsApp, although not entirely. The Israeli company has achieved not be required to disclose the names of its clients and information about the architecture of its servers.

WhatsApp has alleged that Pegasus can “intercept communications sent to and from a device, including communications via iMessage, Skype, Telegram, WeChat, Facebook Messenger, WhatsApp and others” and that it could also be “customized for different purposes, including intercepting communications, taking screenshots, and filtering browser history.”

According to Judge Hamilton, WhatsApp needs access to “all relevant spyware,” specifically “any NSO spyware targeting WhatsApp servers or using WhatsApp in any way to access the target devices“, for “a period from one year before the alleged attack to one year after the alleged attack.”

Pegasus is one of the most sophisticated spy tools that have come to light. NSO is heavily controlled by Israel's Defense Ministry, which must authorize its sale to foreign governments. In the past, the software has been shown to be capable of exploiting vulnerabilities that allowed it to infect a device just by receiving a WhatsApp callwithout it being necessary to even pick it up, or an iPhone with receive a message. Both vulnerabilities have already been fixed by Meta and Apple, respectively.

In Spain, the Pegasus name hit the headlines after the mobile Pedro Sanchez was infected with spyware and, according to Judge José Luis Calama of the National Court, 2.57 GB of data between October 2020 and December 2021. Therefore, in principle, its use on the Prime Minister's mobile phone falls outside the deadlines imposed by Hamilton. Calama agreed to dismiss the case due to Israel's lack of collaboration in the investigation.

This is not the case with the case of Pere Aragonéspresident of the Generalitat of Catalonia, who was spied on with Pegasus by the CNI, with authorization from the Supreme Court, while he was vice president in 2019 and 2020.