Updates to our Terms of Use

We are updating our Terms of Use. Please carefully review the updated Terms before proceeding to our website.

Log in to CasePortal
Search Articles
Free Litigation Reports Find Judicial Opinions

Wednesday, April 23, 2025

View Back issues
Wednesday, April 23, 2025

Israeli spyware program takes center stage in trial over WhatsApp hacks

As Meta crafted a detailed timeline of events of the spyware's 2019 attack on WhatsApp users, the defendants NSO Group claimed the tech giant's "fixes" were really attempts to steal the program for itself.

/ April 30, 2025
The logo of the Israeli NSO Group company appears on a building where they had offices in Herzliya, Israel. (AP Photo/Daniella Cheslow, File)

OAKLAND, Calif. (CN) — Meta presented the bulk of its case to jurors Wednesday in a trial over computer fraud claims it and its subsidiary WhatsApp brought against NSO Group Technologies, a notorious hacker-for-hire firm.

Meta’s claims relate to a 2019 security breach in which the cyber-intelligence company remotely installed surveillance software on the phones of over 1,400 WhatsApp users, including activists, journalists and diplomats.

In a deposition video played for the jury, NSO’s CEO Yaron Shohat said he believes that several of NSO’s competitors have developed similar capabilities since the lawsuit was filed in October 2019 — capabilities that are likely in use today.

“I am aware of competitors with — which I believe have such capabilities today,” Shohat said in the August 2024 video.

NSO Group is an Israeli cyber-intelligence firm best known for its flagship product Pegasus, a proprietary spyware used in the past to spy on reportersforeign political leaders and U.S. State Department employees. Once installed on a phone, Pegasus allows the user to read messages, listen to phone calls, observe a cellphone’s location data and gain control over the device’s microphone and camera without its owner’s knowledge.

Although Shohat was present in the courtroom, Meta opted to play his deposition video instead of having him take the stand.

The tech giant also played videos of other NSO employees’ depositions that further detailed the capabilities of Pegasus.

“Pegasus has the ability to download the user data of a device today,” Ramon Eshkar, a vice president at NSO, told attorneys in August 2024. Eshkar clarified later that “user data” encompassed all information on a user’s phone, save for the operating system.

NSO also testified that it covered its tracks through anonymized phone numbers and servers to protect itself and its clients from being discovered.

“As it says here, the goal is the deniability of the customer, which includes the deniability of the company,” said Tamir Gazneli, NSO’s vice president of research and development, referring to an internal document describing Pegasus.

Meta also provided jurors with more details about the timeline of NSO’s 2019 server intrusions.

On May 2, 2019, a WhatsApp intern working with its voice & video call division discovered several messages on WhatsApp’s server that had suspicious-looking data in fields that weren’t editable by users. As engineers looked into it, they realized it was “shell code” that directed user devices to an outside server, downloaded new code onto the device and then executed it.

This led to a full-scale investigation by Meta’s security teams, which involved patching the vulnerability and then trying to capture the program so they could better understand it. Software engineers would later discover that the program downloaded on users’ phones was the Pegasus spyware.

Claudiu Gheorghe, one of the senior engineers at Meta who handled the May 2019 incident, said that although they had a fix ready by May 6, 2019, they convinced the upper management at WhatsApp to give them some more time with the program.

“It’s a very important mistake engineers make in this industry. They remediate too quickly,” Meta software engineer Claudiu Gheroghe told the jury. “These attacks are really sophisticated, and you want to learn as much as possible before you put any remediation in place.”

Andrew Robinson, a security engineer with Meta’s corporate threat intelligence team at the time, agreed.

“Having a full and complete picture of what’s going on in the attack helps us better defend our systems for our users,” Robinson said.

Meta ultimately failed to “fetch the payload,” as they put it, and pushed the fix to the Google Play store on May 13, 2019.

NSO claims that the effort was, in actuality, an effort by the tech giant to steal its intellectual property and said that Robinson, who was tasked with retrieving the Pegasus payload by using a VPN to make it look like he was in a different country, was effectively conducting a “false flag operation.” Robinson objected to this characterization.

“Usually, those are attributed people trying to attack another operation, not defend,” Robinson said.

NSO’s efforts on cross-examination tried to minimize the impact of its server use. Through Meta’s witnesses, NSO made the point that although the info they embedded in users’ WhatsApp messages eventually infected their devices with Pegasus, it did so through an outside server.

“And you know that Pegasus has never transited through a WhatsApp server,” attorney Joe Akrotirianakis of King and Spalding, representing NSO, said on cross-examination.

NSO argued that because Pegasus never passed through a WhatsApp server, and the servers never suffered any slowdowns or damage, the harm to Meta is less than it is making it out to be.

Meta is currently asking for over $440,000 in compensatory damages to remedy the costs of investigating malicious code on its servers, as well as unspecified punitive damages.

Originally designed as a tool for government law enforcement and intelligence agencies, Pegasus is NSO’s flagship product and is licensed to governments around the world.

In order to embed the spyware into someone’s phone, Pegasus clients send a text message that then invades devices through a malicious code lurking in these messages sent via WhatsApp, Telegram or other messaging services.

Pegasus can also infect users through missed phone calls and “zero-click” attacks, which do not require any action from the phone’s owner to succeed.

Once implanted, Pegasus can control a phone’s microphones and cameras while extracting the personal and location data of its owner — for example, by scraping browser history and contacts, grabbing screenshots, and infiltrating communications.

NSO Group says it says it only sells its spyware to legitimate government law enforcement and intelligence agencies vetted by Israel’s Defense Ministry for use against terrorists and criminals. But the company landed on the U.S. Commerce Department’s entity list in 2021 for activities counter to national security interests.

This case was filed in the Northern District of California and heard at the Ron V. Dellums Federal Courthouse in Oakland, California. The trial was held before U.S. District Judge Phyllis J. Hamilton, a Bill Clinton appointee. A verdict is expected by May 5, 2025.

Categories / Courts, Technology, Trials

Subscribe to our free newsletters

Our weekly newsletter Closing Arguments offers the latest about ongoing trials, major litigation and rulings in courthouses around the U.S. and the world, while the monthly Under the Lights dishes the legal dirt from Hollywood, sports, Big Tech and the arts.

Loading...