A U.S. judge has ordered NSO Group to divulge its source code for Pegasus and other remote access trojans as part of Meta’s legal action against the Israeli spyware vendor. Meta initiated the lawsuit in 2019, accusing NSO Group of utilizing its infrastructure to distribute spyware to approximately 1,400 mobile devices, including those of Indian activists and journalists. The spyware leveraged a zero-day flaw in an instant messaging app, allowing Pegasus to be delivered via voice call functionality even if calls were unanswered.
Additionally, the attack chain involved erasing call information from logs to evade detection. While NSO Group must provide information on the spyware’s full functionality, including details surrounding the alleged attack period, it is not compelled to disclose specific server architecture details. Notably, NSO Group is exempt from revealing the identities of its clientele, a decision criticized by Amnesty International’s Security Lab head, Donncha Ó Cearbhaill.
NSO Group, known for developing cyber weapons, faced U.S. sanctions in 2021 for supplying such tools to foreign governments. Meanwhile, Meta is embroiled in controversy in the European Union over its subscription model, which critics argue presents a choice between paying a “privacy fee” or consenting to being tracked, undermining GDPR regulations. This dispute underscores broader debates surrounding digital privacy and the responsibility of tech companies in safeguarding user data.
