Meta Just Set a Legal Precedent Against Spyware. The Pegasus Maker Will Have to Pay $167 Million in Damages

Big Tech companies often claim to protect their ecosystems, but the truth is much more complicated. There are no foolproof systems. One company that excels at exploiting vulnerabilities is NSO Group, the Israeli entity behind the Pegasus spyware. Meta recently achieved a big legal victory after six years of litigation. A federal jury ordered NSO to pay more than $167 million in punitive damages. NSO will also have to pay $444,000 in compensatory damages for its spying tool’s impact on WhatsApp users.

Meta declared war on Pegasus. In 2019, Meta filed a lawsuit against NSO Group after discovering a massive attack that targeted a critical vulnerability in WhatsApp’s calling system. The Pegasus spyware could install itself on devices through a simple call, even if the user didn’t answer. Once installed, it could activate the device’s mic and camera, and access messages, emails, locations, and other sensitive data.

Hacking attempts were recorded from a target’s phone. | Image: Citizen Lab

Citizen Lab collaborated with Meta and helped identify more than 1,400 potentially affected users, including journalists, human rights activists, and diplomats. Meta claims it notified each of these individuals directly and deployed urgent security patches.

This marked the first time an encrypted messaging provider took a private company to court for using spying tools against its platform.

Revelations. During the court proceedings, NSO Group was compelled to confirm something it had long avoided. The Israeli company admitted that its software can silently compromise all data on a phone. Pegasus can infiltrate iOS and Android devices through several methods, including zero-day exploits, web browsers, and messaging services. Once installed, the spyware software communicates with external servers to transmit data.

The trial marked the first time senior NSO officials testified under oath, revealing how their paid surveillance system operates as a service sold to governments and agencies. Additionally, Meta clarified that WhatsApp wasn’t NSO’s only target. According to Citizen Lab, Pegasus was also used to attack other services, impacting users in at least 20 countries. Notably, Pegasus can compromise other encrypted apps, such as Signal, which widens the scope of the threat.

More from Xataka On

Secret U.S. Agency Is Paying $5 Million to Remove America’s Spy Satellites From New Vera Rubin Observatory Images

A landmark verdict. The recent ruling requires NSO to pay $167 million in punitive damages and more than $444,000 in additional compensatory damages. This is the first time a U.S. court has held a spyware company accountable for illegally using its tools against technology platforms and civilians.

Meta says this ruling is a significant breakthrough for privacy and digital security, adding that it serves as a deterrent to the entire spyware industry.

Apple took legal action. In November 2021, the company also filed a lawsuit against NSO Group. In the lawsuit, Apple claimed that the Israeli entity had exploited a vulnerability known as FORCEDENTRY to compromise Apple devices through a manipulated identification system. The aim was to install Pegasus software without the user’s knowledge. Apple requested a court order to prevent NSO Group from using its software and services.

However, in 2024, Apple chose to withdraw from the case. In a motion submitted to the court, the company expressed concerns that continuing the lawsuit could risk exposing confidential information related to its threat intelligence system. Apple argued that the current landscape had become more fragmented, with a broader range of malicious actors than when the lawsuit was initially filed. This could make the potential advantages of pursuing the case less significant compared to the security risks posed to its users.

Image | Dima Solomin

Related | We Thought VPNs Were Unhackable, But It Looks Like Hackers Can Spy on Them While You're Connected