Israeli surveillance firm NSO Group reportedly used several zero-day exploits, including an unknown one called “Erised,” which exploited WhatsApp vulnerabilities to distribute Pegasus spyware in zero-click attacks, even after being sued.

Pegasus is the NSO Group’s spyware platform (marketed as surveillance software for governments worldwide), with multiple software components that provide customers with comprehensive surveillance capabilities over victims’ compromised devices. For example, NSO customers could monitor victims’ activity and extract information using the Pegasus agent installed on victims’ mobile phones.

According to court document is archived on Thursday (first discovered by Citizen Lab senior researcher John Scott Railton) as part of WhatsApp’s legal battle with the Israeli NSO group, the spyware maker developed an exploit named “Heaven” before April 2018 that used a custom WhatsApp client known as “WhatsApp Installation Server” (or ‘WIS’) that can impersonate the official client to deploy the Pegasus spyware agent on target devices from a third-party server under NSO’s control.

However, WhatsApp blocked NSO’s access to infected devices and its servers with security updates issued in September and December 2018, preventing the Heaven exploit from working.

In February 2019, the spyware maker allegedly developed another exploit known as “Eden” to bypass WhatsApp’s protections implemented in 2018. As WhatsApp discovered in May 2019, Eden was used by NSO customers in attacks against around 1,400 devices.

“As a threshold matter, NSO acknowledges that it developed and sold the spyware described in the complaint, and that NSO’s spyware—specifically, its zero-click installation vector called ‘Eden,’ which was part of a family of WhatsApp-based vectors known collectively as ‘ Hummingbird’ (collectively, ‘Malware Vectors’)—were responsible for the attacks,” court documents reveal.

Tamir Gazneli, NSO’s director of research and development, and “the defendants have admitted that they developed these exploits by extracting and decompiling WhatsApp’s code, reverse engineering WhatsApp” to create the WIS client that can be used to “send false messages (which a legitimate WhatsApp client could not send) through WhatsApp servers, thereby causing target devices to install the Pegasus spyware agent – ​​all in violation of federal and state law and the clear language of WhatsApp’s terms of use.”

After discovering the attacks, WhatsApp patched the Eden vulnerabilities and disabled NSO’s WhatsApp accounts. But even after the Eden exploit was blocked in May 2019, court documents say NSO admitted to developing another installation vector (called “Erised”) that used WhatsApp’s relay servers to install Pegasus spyware.

WhatsApp users were targeted even after the lawsuit was filed

The new court documents say NSO continued to use and make Erised available to customers even after the lawsuit was filed in October 2019, until further WhatsApp changes blocked its access sometime after May 2020. NSO witnesses reportedly refused to answer whether the spyware maker developed additional WhatsApp-based malware vectors.

They also revealed that the spyware vendor admitted in court that its Pegasus spyware exploited WhatsApp’s service to install its surveillance software on “between hundreds and tens of thousands” of target devices. It also admitted that WhatsApp had reverse-engineered to develop that capability, install the “technology” for its customers and provide them with the WhatsApp accounts they needed to use in the attacks.v

The spyware installation process was allegedly initiated when a Pegasus customer entered a target’s cell phone number into a field on a program running on their laptop, triggering the deployment of Pegasus on the target’s devices remotely.

Thus, its customers’ involvement in the operation was limited as they only needed to enter the target number and select “Install”. The spyware installation and data extraction was handled entirely by NSO’s Pegasus system, requiring no technical knowledge or additional action from customers.

However, the NSO continues to state they are not responsible for the actions of their customers or do not have access to data retrieved during Pegasus spyware installation, limiting their role in surveillance operations.

Among other targets, the NSO’s Pegasus spyware was used to hack into the phones of Catalan politicians, journalists and activists, UK government officials, Finnish diplomatsand US Department of State employees.

In November 2021, the United States sanctioned NSO Group and Candiru for providing software used to spy on government officials, journalists and activists. In early November 2021, Apple too filed a lawsuit against NSO for hacking into Apple customers’ iOS devices and spying on them with Pegasus spyware.

A spokesperson for the NSO Group was not immediately available for comment when contacted by BleepingComputer earlier today.