The WhatsApp lawsuit which it filed in a California court gives insight on how NSO allegedly seeded the Pegasus spyware in the target devices.
Lawsuit says that Pegasus spyware sets up secret servers that were designed to secretly inject malicious code onto Target Devices. The lawsuit says: “Defendants set up various computer infrastructure, including WhatsApp accounts and remote servers” and then “used WhatsApp accounts to initiate calls through Plaintiffs’ servers that were designed to secretly inject malicious code onto Target Devices”. It then “caused the malicious code to execute on some of the Target Devices, creating a connection between those Target Devices and computers controlled by Defendants (the “remote servers”)”.
The lawsuit also alleges that the spyware Pegasus created fake WhatsApp accounts using telephone numbers registered in different countries. Telephone numbers from countries such as Cyprus, Israel, Brazil, Indonesia, Sweden, and the Netherlands were used for this purpose.
They also “leased and caused to be leased servers and internet hosting services in different countries, including the United States, in order to connect the Target Devices to a network of remote servers intended to distribute malware and relay commands to the Target Devices”. WhatsApp claimed these servers were owned by Choopa, Quadranet and Amazon Web Services, among others. “The IP address of one of the malicious servers was previously associated with subdomains used by Defendants.”
As per WhatsApp, NSO “reverse-engineered the WhatsApp app and developed a program to enable them to emulate legitimate WhatsApp network traffic in order to transmit malicious code—undetected—to Target Devices over WhatsApp servers”. “To avoid the technical restrictions built into WhatsApp Signaling Servers,” the lawsuit claimed, “Defendants formatted call initiation messages containing malicious code to appear like a legitimate call and concealed the code within call settings… Once Defendants’ calls were delivered to the Target Device, they injected the malicious code into the memory of the Target Device—even when the Target User did not answer the call.”