Facebook accuses Israeli firm NSO Group of spying on WhatsApp users via US servers

NSO Group had used a server run a Los Angeles-based hosting provider, according to Facebook

Social networking giant Facebook has accused Israeli surveillance firm NSO Group of using servers based in the US to spy on hundreds of WhatsApp users.

In a court filing released on Thursday in the federal court in Oakland, California, lawyers representing Facebook said that the NSO Group had used a server run by QuadraNet, a Los Angeles-based hosting provider, to direct NSO's Pegasus spyware to a large number of devices using WhatsApp software.

The latest claim comes as part of the lawsuit filed by Facebook in October last year, in which it accused the NSO Group of hacking into the mobile phones of hundreds of government officials, journalists, attorneys, and human rights activists in multiple countries to keep an eye on their activities.

The lawsuit came after revelations in May 2019 that a security flaw in WhatsApp was being exploited by NSO Group's Pegasus spyware to spy on a large number of users of the social messaging app.

The researchers who discovered this security incident said that a buffer-overflow in WhatsApp was exploited by the Israeli 'cyber intelligence' firm to compromise Android and iOS smartphones.

Attackers just needed to ring targets' phones to install the Pegasus surveillance tool. The spyware was installed even if users didn't respond to an attacker's phone calls. Moreover, such calls disappeared from the call logs after some time.

The lawyers representing the NSO Group argued in the court last year that the lawsuit filed by Facebook should be quashed as the court had no jurisdiction over the company's operations. The lawyers said that NSO Group conducts no business in California and has no employees or offices in the region.

A spokesperson for NSO Group told Bloomberg last week that the firm has no role in operating Pegasus software for its clients and added that the company's products help in saving human lives by stopping terrorism and curbing violent crimes in various parts of the world.

The spokesperson stated further that Pegasus software can't be used "...against U.S. mobile phone numbers, or against a device within the geographic bounds of the United States".

In the court filing last week, Facebook complained that the Israeli firm had no authority to access WhatsApp's servers with surveillance software, alter network settings, and hijack servers to launch attacks on WhatsApp users.

"That invasion of WhatsApp's servers and users' devices constitutes unlawful computer hacking" under the Computer Fraud and Abuse Act, the company stated.