WhatsApp gains Pegasus source code access in court victory

By Charles Martin

NSO Group will have to hand over the source code of its notorious Pegasus spyware to WhatsApp, a US district court has ruled.

WhatsApp has been engaged in a US-based legal battle NSO Group, alleging that over 1,400 WhatsApp users in just a two-week period have been spied on using the Israeli company's Pegasus malware. While the Israeli defense ministry considers the source code a state secret, US District Court Judge Phyllis Hamilton has granted WhatsApp's request for information regarding the "full functionality" of Pegasus.

Pegasus is a notorious spyware tool used by governments and security agencies to perform surveillance of persons of interest, by breaking into devices like the iPhone. Apple has worked to fight the effects of the spyware, warning journalists in Russia and users in Armenia about potential infections, among other actions.

WhatsApp's case centers on the idea that the Pegasus spyware intercepts information from various messaging apps, including itself as well as iMessage, Skype, Telegram, WeChat, Facebook Messenger, and others. The Meta-owned service said it needed access to the "full functionality" of Pegasus in order to prove the allegation.

NSO Group had previously offered to share information only about the "installation layer" of the program, but the judge rejected that offer as insufficient. She did reject a further demand from WhatApp to force NSO Group to share information about its server architecture, as well as a list of names of NSO Group clients.

WhatsApp initiated the lawsuit back in 2019, but it has taken this long for various parts of the case to proceed. Judge Hamilton ordered that "all relevant spyware" be given to WhatsApp covering a period between one year before and after the two weeks of the alleged Pegasus attack, covering late April of 2018 to mid-May of 2020.

A WhatsApp spokesperson said that the ruling "is an important milestone in our long-running goal of protecting WhatsApp users against unlawful attacks. Spyware companies and other malicious actors need to understand they can be caught and will not be able to ignore the law."

The US government blacklisted the use of NSO Group software for any sort of government in 2021, finding that the Israeli company "has acted in a manner contrary to the foreign policy and national security interests of the US." NSO Group maintains that it shouldn't be prosecuted for producing malware, arguing that it only sells its software to official governments around the world.