Pegasus Spyware Under Fire: Court Docs Claim NSO Group Kept Infecting Celebs, Including a Dubai Princess, as Tech Giants Fought to Take It Down

New documents claim Israeli spyware maker NSO Group has been infecting hundreds to tens of thousands of devices with its infamous Pegasus spyware despite tremendous efforts by US tech giants to muffle its operations.

According to court documents published last week, NSO Group has been systematically incrementing its spyware infection vectors from 2018 onward, to keep its business alive, as tech giants were fighting back with software patches and lawsuits.

Citizen Lab senior researcher John Scott-Railton took to X to highlight some of the nefarious practices used by NSO as the company kept fulfilling customer orders to infect adversaries’ phones with surveillance software, including a high-profile attack on Dubai's Princess Haya.

Old habits die hard

The documents allege NSO developed and rolled out a zero-click WhatsApp exploit to implant Pegasus spyware on victims’ phones even after Meta (Facebook) sued them.

NSO Group had developed the attack avenues by exploiting weaknesses in the instant messaging platform WhatsApp, owned by Meta. Using intricate deployment methods, NSO people would ultimately also carry out the attacks for their clients – a point previously denied by the Israeli company.

Three exploits are mentioned in Facebook’s lawsuit against the spyware maker, dubbed Heaven, Eden, and Erised.

“After the Heaven vector stopped working, NSO Group deployed Eden, which had a key feature: it needed to pass through relays controlled by WhatsApp,” Scott-Railton explains, adding that the exploit was designed to be deployed without detection.

“Ultimately, it was detected, leading to the lawsuit,” according to the Citizen Lab researcher.

The papers also include references to employees discussing Pegasus development and deployment, including one to a US-based affiliate of NSO’s named “Francisco Partners.”

Pegasus allegedly used to target Dubai Princess Haya

The cherry on top comes in the form of a footnote that mentions NSO Group’s CEO alleging in a deposition that Pegasus spyware was used by Dubai’s ruler to target his ex-wife, Princess Haya – a story The Guardian broke in 2021.

NSO Group’s Pegasus is a notoriously potent cyber weapon mainly used by state actors to hack into adversaries’ smartphones. These include political figures, free speech advocates, activists, dissidents, and essentially anyone labeled a high-profile target.

The Israeli firm has historically defended itself by saying it develops and sells its monitoring software to give law enforcement the tools to fight dangerous criminals, such as terrorists.

Facebook, Apple and Google have been waging war against NSO Group and other spyware vendors operating out of Israel for years. Scott-Railton’s Citizen Lab have been actively seeking to shutter spyware operations globally by conducting thorough research into the malware while providing technology giants the threat intel required to patch systems against attacks.

In a surprising twist, Apple announced this year that it’s dropping its year-long legal tussle with NSO Group to avoid having to disclose the threat intelligence it has developed over the years to fight Pegasus.

How to defend against spyware

Bitdefender recommends you keep your devices up to date with the latest security patches issued by the vendor as the first important step against a spyware infection – especially if you consider yourself a target. Apple and Google issue periodic security updates designed to patch vulnerabilities exploitable in malware attacks.

For peace of mind, run a dedicated security solution on all your personal devices.

On iOS and macOS, keep the trusty Lockdown Mode toggle handy whenever you believe hackers might be targeting you.

Check out our comprehensive guide “How Spyware Infects Smartphones and How to Defend Against It” to learn more about the spyware threat and how to stay protected.