The conflict between Facebook and the NSO Group continues. Let me remind you that in the fall of 2019, Facebook went to court with a lawsuit against the Israeli company NSO Group, which develops and sells spyware solutions and the so-called “legal malvari”. The lawsuit was triggered by a zero-day WhatsApp vulnerability, information about which appeared in May 2019.
Vulnerability, according to Facebook, was sold to the NSO Group, and then the company helped customers use this problem to attack human rights defenders, journalists, political dissidents, diplomats and government officials. According to court documents, more than 1,400 people in Bahrain, the United Arab Emirates and Mexico suffered a total of 11 days from attacks.
Moreover, Facebook banned NSO Group employees on its platforms, as the lawsuit provided for a permanent injunction prohibiting all NSO Group employees from gaining or trying to access WhatsApp and Facebook services, platform and computer systems.
Now, representatives of NSO Group and declaredthat back in 2017, Facebook tried to acquire from them a spy tool targeted against users of Apple devices.
We are talking about the notorious Pegasus malvari, which was first discovered in 2016. In subsequent years, information security experts continued to find more and more incidents using Pegasus and criticize the NSO Group for selling their solutions to governments and special services around the world (often repressive regimes), although the use of malvari was ultimately not documented by anyone anywhere.
Pegasus is designed for espionage and is able to collect text messages, application information, eavesdrop on calls, track location, and steal passwords.
Now the head of the NSO Group claims that in October 2017, representatives of the social network tried to acquire the right to use certain features of Pegasus. Interestingly, it was at this time that Facebook began deploying the scandalous Onavo Protect VPN application, which, without the knowledge of users, analyzed traffic to understand which applications people use. When this became known, Apple banned the application and revised the rules for such products. As a result, the development and use of Onavo Protect was abandoned.
According to court documents, it seems that Facebook representatives were not interested in buying Pegasus, as a hacker tool, and modules designed for remote hacking. Rather, the company was interested in more efficient monitoring of the phones of users who had already installed Onavo. At the same time, the NSO Group emphasizes that it sells Pegasus only to customers related to intelligence and law enforcement.
“Facebook said Facebook was concerned that the Onavo Protect user data collection method was less effective on Apple devices than on Android devices,” the lawsuit says. “Facebook officials also said they want to use Pegasus' supposed capabilities to monitor user activity on Apple devices and are willing to pay for the ability to monitor Onavo Protect users.”
Representatives of Facebook, in turn, deny everything, claiming that the NSO Group distorts the facts:
“NSO is trying to divert attention from the facts that Facebook and WhatsApp presented to the court more than six months ago. They try to avoid responsibility by exposing their spyware and negotiations with Facebook employees in the wrong light. Our lawsuit describes that it is NSO that is responsible for attacks on more than 100 human rights defenders and journalists around the world. NSO CEO Shalev Julio admitted that his company is capable of attacking devices without the knowledge of users, and can see who Pegasus is being used against. “We look forward to bringing our case against NSO to court and ensuring that they are held accountable for their actions.”
NSO Group are called these allegations by Facebook are unfounded, once again repeating that the company sells its software only to governments and law enforcement agencies (according to Israeli export laws), and does not use its own tools. Thus, the NSO Group itself did not attack or hack anyone, and cannot be held responsible for the actions of its customers.