Israeli surveillance firm NSO Group reportedly continued exploiting WhatsApp vulnerabilities to deploy its Pegasus spyware, even after facing legal action from Meta. Court documents filed last week detail the company's development of multiple zero-day exploits, including a previously unknown vector named “Erised.”
The documents describe a timeline of escalating attacks that leveraged WhatsApp vulnerabilities to enable zero-click installations of Pegasus. Marketed as a surveillance tool for governments, Pegasus provides operators with capabilities to monitor and extract data from compromised devices. Pegasus has been widely criticized for being used against journalists, activists, and political dissidents.
NSO created an exploit called “Heaven,” which used a custom-built WhatsApp client, the “WhatsApp Installation Server” (WIS), to impersonate legitimate clients. This allowed attackers to install Pegasus on targeted devices via third-party servers under NSO's control. WhatsApp responded by issuing security updates in September and December 2018 to block this attack.
After WhatsApp patched “Heaven,” NSO developed the “Eden” exploit, part of a family of vectors collectively called “Hummingbird.” Eden enabled attackers to send malformed messages through WhatsApp servers, infecting approximately 1,400 devices globally by May 2019. Meta's court filings confirm that NSO reverse-engineered WhatsApp's code to build WIS, violating multiple laws and the platform's Terms of Service. WhatsApp patched Eden and disabled NSO's accounts shortly after detection.
NSO allegedly crafted another installation vector, “Erised,” which used WhatsApp's relay servers to install Pegasus. Tamir Gazneli, NSO's head of research and development, acknowledged the development and use of these exploits.
NSO’s tactics involved decompiling and reverse-engineering WhatsApp’s code, enabling the creation of malicious tools to compromise targeted devices. These actions prompted Meta to file a lawsuit against the company in 2019, accusing it of unauthorized access, violation of computer fraud laws, and breach of WhatsApp’s Terms of Service.