WhatsApp recently discovered and disrupted a sophisticated hacking campaign that used a one-click exploit developed by Israel-based spyware maker NSO Group to target its users, the messaging platform’s parent company Meta has revealed.
The company said the attackers sent specially crafted phishing links through WhatsApp chats, luring victims to click on them before redirecting them to malicious websites that attempted to install Pegasus, the spyware known for notoriously being used by authoritarian governments to target politicians, journalists, and civil society activists among others.
WhatsApp said it recently detected and disrupted such phishing attempts allegedly linked to Israel-based NSO Group and has asked a US court to hold the company in contempt for violating an earlier injunction that barred it from targeting WhatsApp users.
The latest disclosure comes against the backdrop of a landmark US court order last year that permanently barred NSO Group from targeting WhatsApp or its users. The injunction followed Meta’s six-year legal battle over a 2019 hacking campaign in which Pegasus exploited a vulnerability in WhatsApp to infect around 1,400 devices belonging to journalists, human rights activists, diplomats and government officials.
Meta has called for the court to now hold the NSO Group in contempt for violating the permanent injunction that barred them from ever targeting WhatsApp and its users.
Once installed, Pegasus can gain near-complete control over a smartphone, allowing operators to read encrypted messages, access emails and photos, record calls, activate the microphone and camera, and track the device’s location. Due to the large user-base that WhatsApp commands around the world, and for its consistent usage among individuals who want to keep their communications private from state-sponsored surveillance, the messaging platform has been targeted by the spyware by governments which have purchased Pegasus from the NSO Group.
The NSO Group says it only sells Pegasus to governments.
How NSO changed its WhatsApp spyware attack strategy
Story continues below this ad
Meta said the new hack involved the NSO Group attempting to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to the company. “We also caught them creating test accounts and groups on WhatsApp, which we took down,” Meta added.
The company disrupted the hacking campaign, designed as social engineering, after investigating user reports.
Unlike the infamous “zero-click” exploits that made Pegasus notorious, a one-click exploit requires the victim to perform a single action – typically clicking on a malicious link sent through a messaging app, email or SMS. Once the link is opened, the attacker exploits software vulnerabilities to silently install Pegasus spyware on the target’s device, often without any further interaction or visible signs of compromise. According to Meta, the latest campaign involved spear-phishing links that redirected users to malicious websites outside the app, resembling previous one-click Pegasus operations.
Story continues below this ad
Zero-click attacks, by contrast, are considerably more sophisticated because they require no user interaction whatsoever. Earlier Pegasus campaigns exploited vulnerabilities in services such as WhatsApp’s calling feature and Apple’s iMessage to infect devices simply by receiving a call or message—even if the target never answered or opened it. Security researchers say one-click attacks may appear less technically advanced, but they remain highly effective because they exploit human behaviour through carefully crafted phishing messages that appear legitimate.
How to improve security on WhatsApp
Given WhatsApp is the primary mode of communication for millions of people in India and around the world, the platform becomes a key target of surveillance attempts. Though the messaging platform is patched to deal with safety issues, new attack vectors keep emerging to challenge the safety architecture of the messaging app.
To better protect themselves, users can enable ‘Strict account settings,’ an advanced security feature on WhatsApp that turns on privacy and security controls to help protect accounts from sophisticated cyber attacks.
Story continues below this ad
Strict account settings is an optional, lockdown-style security feature that, when enabled, reduces a user’s vulnerability to cyber attack by limiting functionality. Their account is locked to more private settings and chats with others outside their contacts will have limitations. For instance, link previews are turned off, and blocking high volumes of unknown account messages is turned on.
This feature is built for users who may be the target of such attacks, and the company cautions it should be only turned on if a user thinks they may be a target of a sophisticated cyber campaign. The feature can not be turned on or off from WhatsApp Web, but only from a user’s primary device.
The alleged Pegasus targeting in India, Centre’s denial
In 2021, it was reported that Pegasus was used on more than 300 Indian mobile numbers, including that of two serving ministers in the Narendra Modi government, three Opposition leaders, one constitutional authority, several journalists and business persons.
After the allegations, the Supreme Court, in 2021, formed a committee of technical experts to look into allegations of unauthorised surveillance using the Pegasus software. In August 2022, the committee of technical experts found no conclusive evidence on use of the spyware in phones examined by it but noted that the Central Government “had not cooperated” with the panel. The report is sealed and has not been released publicly since.
Story continues below this ad
“As the report is submitted to the Supreme Court, it will not be proper to offer any comments,” retired judge Justice R V Raveendran, who was supervising the probe panel, had told The Indian Express earlier.
Following the media reports of 2021, the Indian government unequivocally denied all ‘over the top allegations’ of surveillance using Pegasus. In a statement to Parliament at the time, IT Minister Ashwini Vaishnaw said the reports had “no substance”. He added that India’s surveillance laws ensure that “unauthorised surveillance cannot occur”.
