NSO Group has said in the past that it limits the sale of hacking tools to governments with poor human-rights records, but it has little insight into how its tools are used once they are in government hands. The company has said it only learns and investigates cases of abuse when they surface in the media.
NSO Group’s technology has repeatedly been discovered on the phones of civilians.
In 2017, The Times helped uncover the use of NSO spyware on journalists, dissidents and consumer rights activists in Mexico. Since then, the spyware has been uncovered on the phone of the wife of a murdered Mexican journalist and, last year, on the phone of a close confidant of Jamal Khashoggi, a journalist whose murder was linked by United States intelligence services to the Saudi Arabian government.
The WhatsApp complaint that was filed on Tuesday claims that NSO Group is closer to the deployment of its spyware than it portrays to the public. WhatsApp traced several servers that deployed NSO’s spyware back to internet addresses operated directly by NSO Group. The company leased servers — including servers in the United States — from Amazon and two other cloud services called Choopa and Quadranet, to help deploy its spyware, the lawsuit said.
Amazon did not return a request for comment.
Since NSO Group was founded in 2011, its spy technology, called Pegasus, has become the preferred mobile spy tool of many governments. An early NSO commercial proposal leaked to The Times claimed Pegasus could overcome encryption to grant “unlimited access” to everything on a target’s mobile device.
“Pegasus silently deploys invisible software on the target device,” the company’s early pitch read. “Installation is performed remotely over-the-air, does not require any action from or engagement with the target and leaves no trace whatsoever on the device.”
For years, commercial spyware makers have been unregulated, in part because governments are the clients.
“They get close to governments and when those governments do bad things with their products, commercial spyware companies can claim it’s not their fault,” said Mr. Scott-Railton, of Citizen Lab.
