A U.S. judge has ordered NSO Group to hand over its source code for Pegasus and other remote access trojans to Meta as part of the social media giant’s ongoing litigation against the Israeli spyware vendor.
The decision marks a major legal victory for Meta, which filed the lawsuit in October 2019 for using its infrastructure to distribute the spyware to approximately 1,400 mobile devices between April and May. This also included two dozen Indian activists and journalists.
These attacks leveraged a then zero-day flaw in the instant messaging app (CVE-2019-3568, CVSS score: 9.8), a critical buffer overflow bug in the voice call functionality, to deliver Pegasus by merely placing a call, even in scenarios where the calls were left unanswered.
Court documents released late last month show that NSO Group has been asked to “produce information concerning the full functionality of the relevant spyware,” specifically for a period of one year before the alleged attack to one year after the alleged attack (i.e., from April 29, 2018 to May 10, 2020).
Meta, however, is facing mounting scrutiny from privacy and consumer groups in the European Union over its “pay or okay” (aka pay or consent) subscription model, which they say is a Hobson’s choice between paying a “privacy fee” and consenting to be tracked by the company.
“This imposes a business model in which privacy becomes a luxury rather than a fundamental right, directly reinforcing existing discriminatory exclusion from access to the digital realm and control over personal data,” they said, adding the practice would undermine GDPR regulations.
The development comes as threat intelligence firm Recorded Future revealed a new multi-tiered delivery infrastructure associated with Predator, a mercenary mobile spyware managed by the Intellexa Alliance.
Sekoia, in its own report about the Predator spyware ecosystem, said it found three domains likely related to customers in Botswana, Mongolia, and Sudan, stating it detected a “significant increase in the number of generic malicious domains which do not give indications on targeted entities and possible customers.”
Source: https://thehackernews.com/