What is NSO Group and what spyware does it make?

NSO Group is an Israeli surveillance company that develops Pegasus, a sophisticated spyware tool capable of remotely accessing a smartphone's camera, microphone, messages, and location data without the user's knowledge. Pegasus works by exploiting zero-day vulnerabilities (previously unknown security flaws) to infect devices, and has been used by governments worldwide to target journalists, activists, and political opponents—including cases documented by Amnesty International and the Forbidden Stories consortium.

What is the spyware injunction Meta claims NSO violated?

In 2021, Meta obtained a court injunction against NSO Group after discovering that Pegasus was exploiting a WhatsApp vulnerability to infect approximately 1,400 users globally, including human rights activists and journalists. The injunction legally prohibited NSO from further attacks on Meta's services; Meta's 2024 allegation claims NSO circumvented this injunction by developing new attack methods targeting WhatsApp users through different technical vectors.

How does NSO's new WhatsApp attack method work according to Meta?

While Meta has not disclosed complete technical details publicly to prevent copycat attacks, the company alleges NSO developed new exploitation techniques to compromise WhatsApp accounts—likely through alternative zero-day vulnerabilities or sophisticated social engineering rather than repeating the 2019 vulnerability that triggered the original injunction. The allegations suggest NSO is actively working to bypass Meta's security patches and the court-ordered restrictions.

Why does this matter if I'm just a regular person using WhatsApp?

If NSO is successfully attacking WhatsApp despite legal restrictions, it demonstrates that even widely-used encrypted messaging apps with billions of users remain vulnerable to state-level surveillance tools. Regular users could be targeted if they're journalists, activists, business executives, or have other high-value information, meaning the app's encryption alone cannot protect against sophisticated zero-day exploits that bypass the app entirely at the device level.

What governments use NSO's Pegasus and why?

At least 36 governments have been documented using Pegasus, including Morocco, Mexico, UAE, Saudi Arabia, and India, according to the Forbidden Stories investigation; governments claim they use it to combat terrorism and organized crime, but documented cases show extensive misuse against journalists, opposition politicians, and human rights defenders. NSO's business model depends on government clients, making enforcement against the company challenging since it operates with alleged governmental protection in Israel.

What can WhatsApp users do to protect themselves from this threat?

Users should keep WhatsApp and their phone's operating system updated to the latest version immediately, as security patches are Meta's primary defense against zero-day exploits; beyond that, users cannot fully protect themselves against sophisticated state-level spyware, but can reduce risk by using two-factor authentication, avoiding suspicious links, and being aware that encryption protects message content but not device-level access. If someone is a journalist, activist, or government official, considering devices and communication methods specifically hardened against state surveillance may be necessary.

Meta alleges NSO violated spyware injunction with new WhatsApp attacks Trending Now

# Meta Alleges NSO Violated Spyware Injunction With New WhatsApp Attacks In 2024, Meta returned to federal court with a dramatic allegation: the Israeli surveillance firm NSO Group had continued targeting WhatsApp users with sophisticated spyware despite a court order explicitly forbidding such activity. The claim represented a significant escalation in a legal battle that has unfolded since 2016, when NSO's Pegasus spyware first infiltrated WhatsApp to intercept calls and messages from journalists, activists, and political figures across multiple continents. What made Meta's new allegations particularly striking was the technical evidence suggesting NSO had adapted its attack methods rather than ceased them entirely—demonstrating how determined surveillance operators can find workarounds even when facing judicial restraint.

What Is NSO's Pegasus and the WhatsApp Vulnerability?

NSO Group is a private Israeli surveillance company founded in 2010 that develops and sells spyware tools to government agencies. Pegasus, its flagship product, is among the most sophisticated mobile surveillance tools ever created. Unlike simple malware that steals login credentials, Pegasus performs what security researchers call "lawful interception"—complete remote access to a target device that can extract messages, emails, photos, location data, call recordings, and activate the camera and microphone without the user's knowledge or consent.

The WhatsApp vulnerability that became central to Meta's legal case originated in 2019. NSO discovered a flaw in WhatsApp's call-initiation protocol—the technical process that establishes voice and video connections. By sending a specially crafted WhatsApp call to a target, attackers could trigger code execution, allowing malicious software to install itself without the victim ever answering or even seeing the call attempt. WhatsApp's parent company Facebook (now Meta) discovered the attack in May 2019 after security researchers at Citizen Lab, a University of Toronto research group, analyzed suspicious activity affecting journalists and human rights workers in Mexico, the United Arab Emirates, and Bahrain. Meta patched the vulnerability but NSO allegedly continued refining similar techniques in subsequent years.

Why Everyone Is Talking About It Right Now

Meta alleges NSO violated spyware injunction with new WhatsApp attacks based on technical evidence gathered between 2021 and 2024. In its legal filings, Meta presented detailed forensic analysis indicating that NSO had developed modified versions of Pegasus specifically designed to evade detection while targeting WhatsApp users. The 2020 injunction that originally restricted NSO's activities had been issued following Meta's first lawsuit, but the company claimed NSO simply pivoted tactics rather than complying. The timing of Meta's renewed allegations coincided with broader international scrutiny of NSO—in late 2021, investigative journalists revealed that dozens of governments had used Pegasus to spy on opposition politicians, human rights defenders, and journalists, sparking criminal investigations in France, India, and multiple other nations.

The specific technical evidence Meta cited involved what security researchers call "zero-day exploits"—previously unknown vulnerabilities in WhatsApp that NSO could exploit before Meta discovered and patched them. Between 2019 and 2023, Meta documented approximately 150 cases where users' phones showed forensic signatures consistent with NSO-based attacks. These signatures include modified system calls, unexpected processes running at the kernel level, and network traffic patterns matching known Pegasus command-and-control infrastructure. The sheer technical sophistication required to generate this evidence meant Meta's allegations carried substantial weight with courts and security experts alike.

How It Works

Understanding how NSO's Pegasus spyware functions requires breaking down the attack chain into discrete stages. First comes reconnaissance: NSO operators identify target phone numbers through various channels, ranging from government requests to supposedly leaked contact lists. Second is delivery: NSO sends a specially crafted WhatsApp message or initiates a call using vulnerabilities unknown to Meta or the broader security community. Unlike typical phishing attacks that require user interaction, Pegasus exploits what security experts call "n-day" or "zero-day" vulnerabilities—defects in code that the software maker hasn't yet discovered and therefore cannot patch.

Once the exploit executes on the target device, the third stage—installation—begins. The spyware establishes persistent access by embedding itself in the operating system at a privileged level, meaning it runs with administrative permissions that allow it to bypass normal security restrictions. The fourth stage involves command execution: NSO operators can then issue instructions to the compromised device. A typical attack sequence might unfold like this: an activist in Central America receives a WhatsApp call from an unknown number on Tuesday morning. The call doesn't ring through to them, but in the background, code executes. By Wednesday, NSO operators have extracted all messages from Signal, Telegram, and Viber. By Friday, they've captured photos from the activist's camera roll, location coordinates from their past week, and audio recordings from meetings. The activist remains completely unaware throughout.

What makes Meta alleges NSO violated spyware injunction with new WhatsApp attacks significant is that it proved NSO adapted after the 2020 injunction. Rather than exploiting the identical 2019 vulnerability, forensic analysis suggested NSO had discovered and weaponized different flaws in WhatsApp's code—possibly through reverse engineering, bug bounty programs, or recruiting former security engineers. Each new vulnerability required different technical approaches, but the end result remained consistent: unfettered access to WhatsApp users' devices.

Compared to What Came Before

The original 2019 WhatsApp vulnerability represented a watershed moment in surveillance capability. Previous spyware attacks typically required some user action—clicking a malicious link, installing a trojanized app, or responding to a social engineering message. The WhatsApp vulnerability eliminated that requirement entirely. A target could be hacked while sleeping, with their phone locked and untouched. This represented a qualitative leap from earlier NSO capabilities and explained why journalists and human rights organizations facing NSO threats began purchasing new phones or disconnecting from digital networks entirely.

The difference in Meta's new allegations lies in sophistication and scope. Where the 2019 vulnerability was discovered and patched relatively quickly, NSO's supposed post-2020 attacks involved multiple distinct vulnerabilities, staggered over years. This suggested industrial-scale spyware development—NSO maintaining a portfolio of WhatsApp exploits rather than relying on a single vulnerability. Additionally, Meta's forensic evidence indicated NSO had enhanced its post-exploitation capabilities, making the spyware harder to detect through standard mobile device forensics. Security researchers noted that later Pegasus variants allegedly employed anti-forensic techniques, deleting logs that would normally prove an intrusion had occurred.

Who Uses It and How

NSO Group operates on a government-licensing model. The company sells Pegasus and related tools exclusively to government agencies, nominally for counterterrorism and serious crime investigation. NSO maintains contractual language requiring customers to use the tools legally and ethically—but enforcement of these terms has proven almost impossible. Leaked records and investigative reporting revealed that at least 36 governments had purchased NSO tools, including Mexico, India, the Philippines, Saudi Arabia, and the United Arab Emirates.

In practice, governments have deployed NSO tools against targets far removed from terrorism suspects. Human rights organizations and journalists documented Pegasus use against:

Mexican journalists reporting on drug cartels and government corruption
Indian opposition politicians and election monitors
Saudi Arabian dissidents and the family members of murdered journalist Jamal Khashoggi
Ugandan human rights defenders investigating government abuses
Moroccan human rights advocates and imprisoned activists
Hungarian civil society leaders monitoring judicial independence

In several documented cases, targets weren't even political adversaries—one Mexican governor allegedly used Pegasus to spy on his own wife. The lack of meaningful oversight meant NSO's products functioned as tools for systematic oppression rather than counterterrorism, with Meta alleges NSO violated spyware injunction with new WhatsApp attacks becoming emblematic of this widespread misuse.

Pros, Cons, and Concerns

NSO and its government customers argue that surveillance tools serve legitimate security purposes. In controlled scenarios, highly targeted monitoring of genuine terrorism suspects or serious criminals could theoretically provide valuable intelligence. However, this theoretical benefit has been consistently contradicted by evidence. The major cons substantially outweigh any supposed advantages.

The surveillance costs are profound and concrete. First, targeted individuals suffer direct harms: journalists self-censor stories about corruption, activists abandon organizing work, dissidents flee their countries. Second, democratic institutions corrode when governments can secretly monitor opposition parties, journalists, and judiciary members. Third, marginalized populations face amplified vulnerability—indigenous leaders, LGBTQ+ activists, and ethnic minorities targeted by NSO spyware in authoritarian contexts have limited legal recourse. Fourth, businesses and national security suffer when critical infrastructure operators, military personnel, and intelligence agents are compromised through NSO tools sold to adversarial nations.

"NSO's business model requires belief in government restraint—that surveillance powers will be used narrowly and lawfully. Evidence from Mexico to the UAE to India to Saudi Arabia proves that belief is catastrophically misplaced. The company has created a market for oppression."

The enforcement challenge compounds these concerns. Meta alleges NSO violated spyware injunction with new WhatsApp attacks, yet NSO operates primarily outside U.S. jurisdiction from Israel, making enforcement difficult even when courts rule against them. Countries that purchase NSO tools face minimal international consequences for misuse.

What to Expect Next

Meta's legal strategy appears designed to establish a clear pattern of ongoing violation. The company filed updated complaints requesting enhanced injunction terms and potentially punitive damages against NSO. Technical remediation efforts have accelerated—Meta implemented end-to-end encryption across WhatsApp, meaning even if NSO compromises a device, capturing message content requires additional steps. WhatsApp also deployed notifications alerting users when their security may have been compromised, allowing targets to take protective action.

Internationally, governments have begun taking action. France opened a criminal investigation into NSO's operations in 2021. India's parliament launched inquiries into alleged surveillance of opposition figures. The European Union proposed regulations that could restrict surveillance tool export to countries with documented human rights violations. Israel, NSO's home country, has also moved to establish new oversight mechanisms, though critics argue these efforts remain inadequate given the company's market dominance.

Technologically, the arms race continues escalating. Security researchers expect NSO to develop even more advanced exploitation techniques, while Meta, Apple, Google,

Meta alleges NSO violated spyware injunction with new WhatsApp attacks