WhatsApp Hack: Meta Wins Payout Over NSO Group Spyware

In a significant victory for privacy advocates, Meta has emerged as the winner in a six-year legal battle against Israel-based NSO Group, the maker of the notorious Pegasus spyware. The ruling, which has awarded Meta nearly $170 million in damages, marks a major blow to the company's reputation and highlights the need for greater regulation of the surveillance industry.

The dispute began in October 2019, when Meta filed a lawsuit against NSO Group alleging that the company had misused its servers to spy on users. According to the complaint, NSO Group had reverse engineered WhatsApp's software and developed its own malware-laced messages to send to victims' mobile phones via the WhatsApp service. The attacks targeted around 1,400 mobile devices, including those used by high-profile individuals such as attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.

The purpose of the attacks was to gain access to the messages on these devices, which were typically used for sensitive communication. NSO Group's malware installed itself on the victims' smartphones using a zero-click attack, meaning that the victim didn't have to take any action to trigger the compromise. It was enough simply for the message to arrive.

In December, a judge ruled in Meta's favor, granting partial summary judgment and paving the way for a trial to determine damages. NSO Group had argued that Facebook lost nothing as part of the attack, but the jury ultimately awarded Meta $444,719 in compensatory damages and $167,254,000 in punitive damages.

The ruling comes at a time when NSO Group has faced mounting criticism over its activities. In 2021, the US federal government blacklisted it for enabling foreign governments to spy on a range of people in acts of "transnational repression." The same year, investigative website The Pegasus Project alleged that the company targeted over 180 journalists around the world.

The European Data Protection Supervisor had recommended an EU ban on the technology in 2022, although this has not yet happened. The ruling drew praise from Amnesty International, which had filed a court brief as part of the case outlining the human rights implications of the attacks on Meta.

"This decision should serve as a wake-up call to governments to take proactive, concrete steps to regulate the surveillance industry, to enforce safeguards on their surveillance practices, and to comprehensively ban tools that are inherently incompatible with human rights obligations and standards, such as Pegasus," said Amnesty International in a statement.

So what can consumers do to protect themselves from similar attacks? For starters, end-to-end encryption is not enough on its own. While WhatsApp's encryption protects messages in transit, it does not prevent malware from being installed on devices after they are decrypted by the receiving device. In other words, if someone compromises your smartphone or PC, they have control over all of the data on it, including those decrypted messages.

"Never open links, files, or videos from someone you don't know," advises Meta. "Be skeptical even if they're from someone you do know – check with them over a different channel first to ensure it was really them that sent it." Additionally, applying more layers of protection such as regular updates, security software, and cybersecurity awareness can help prevent attacks like this.

Google has an advanced protection program for people like these, while Apple launched lockdown mode for high-risk users. Facebook has its own initiative to protect users. Cybersecurity risks should never spread beyond a headline. To keep threats off your mobile devices, download Malwarebytes for iOS and Android today."