NSO Group impersonated Facebook to distribute the Pegasus spyware
Israeli surveillance equipment maker firm NSO Group allegedly impersonated Facebook in an attempt to install its phone-hacking software to devices in the United States.
An investigation carried out by Motherboard has revealed that a web domain was created by the NSO Group that looked like it belonged to Facebook’s security team. Using the malicious domain, the firm tried to lure Internet users into installing the company’s powerful cell phone hacking technology, Pegasus. Motherboard also claimed that they have evidence that that servers inside the United States were used to spread Pegasus to a large number of devices.
Pegasus is a well-known piece of spyware created by the NSO Group and features a number of surveillance capabilities that include capturing screenshots, keylogging, live audio capture, browser history exfiltration, email exfiltration from Android’s Native Email client, and exfiltration of contacts and text messages from devices.
According to security researchers, Pegasus is also capable of exfiltrating messaging data from commonly-used applications such as WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao and can self-destruct if an antidote file exists in an infected device or if it has not been able to check in with the servers after 60 days of infiltration.
The Israeli surveillance firm is currently fighting a lawsuit filed by Facebook who alleged that the firm “used WhatsApp servers, located in the United States and elsewhere, to send malware to approximately 1,400 mobile phones and devices” and that the firm developed their malware “in order to access messages and other communications after they were decrypted on Target Devices”.
NSO has however, denied the allegations brought against it and has labelled them “recycled conjecture”. The firm has, in fact, asked the court in California to dismiss the case as it never uses its spyware and only sells them to law enforcement and intelligence agencies worldwide.
The lawsuit was filed after Facebook discovered that a critical vulnerability in WhatsApp messaging service was being exploited by NS Group to inject surveillance malware into users’ devices. The company soon rolled out a security update, stating that “an advanced cyber actor” had already exploited the vulnerability to carry out surveillance of targeted entities.
According to Facebook, between April and May last year, NSO Group formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings to avoid the technical restrictions built into WhatsApp Signalling Servers.
Using this method, NSO Group transmitted malicious code to approximately 1,400 target devices between April 29 and May 10 and these devices were owned by attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.