A US federal court in the Northern District of California has issued a permanent injunction against Israeli spyware developer NSO Group in the WhatsApp case brought by Meta. The order requires NSO to halt any targeting of WhatsApp users, cease attempts to compromise devices or intercept messages, and delete data previously obtained through such activities. While liability stands, the court reduced the jury’s damages award from $167 million to $4 million after finding the original calculation method improper.
What the permanent injunction covers: end-to-end encryption and user data
Judge Phyllis J. Hamilton ruled that NSO Group may not attack WhatsApp or interfere with the service’s operations, including attempts to defeat or access content protected by end-to-end encryption that relies on the open Signal Protocol. The court separately ordered NSO to delete all data acquired from past targeting of WhatsApp accounts.
The court declined to extend the injunction to foreign sovereigns not party to the case or to other Meta services (e.g., Facebook, Instagram) due to insufficient evidence of targeting beyond WhatsApp. Notably, the ruling recognized that encrypted communications services effectively “sell privacy,” and unauthorized access directly undermines the business model and user trust.
How Pegasus leveraged WhatsApp: confirmed techniques, timelines, and scale
Although NSO markets Pegasus as a lawful intercept tool for governments, public records and litigation materials have documented covert surveillance use. Unredacted filings made public in late 2024 detail that until April 2018 NSO employed a custom WhatsApp client (WIS) and a server-side exploit dubbed Heaven to deliver spyware via NSO-controlled infrastructure. WhatsApp closed this vector with security updates in September and December 2018.
NSO then developed a new exploit, Eden, in February 2019 to bypass updated protections. By May 2019, WhatsApp observed approximately 1,400 targeted devices, including those of lawyers, journalists, human rights defenders, political dissidents, diplomats, and government officials. During the same period, WhatsApp addressed a critical VoIP flaw (CVE-2019-3568), underscoring how zero-click vectors can leverage weaknesses in call signaling and media handling where input validation fails.
Human rights risk and strategic exposure
The victim profile demonstrates a dual risk: exposure of sensitive personal data and potential strategic leakage of confidential communications. For organizations, this validates the need for tailored controls for high-risk personnel and for defenses against zero-click attacks, which require no user interaction and can bypass traditional awareness training.
Legal precedent and market impact for spyware vendors
A permanent injunction against a commercial spyware supplier is rare and sets a meaningful precedent for vendor accountability in the exploit and surveillanceware market. While NSO argued it could not continue its business without Pegasus, the court prioritized the harm to secure communications and user privacy. The reduction of damages to $4 million reflects an adjustment to the calculation method, not a reversal on liability or the cease-and-delete obligations.
For the broader industry, the decision amplifies legal and compliance risks for companies dealing in zero-day vulnerabilities, interception tools, and intrusion services. These risks include export controls (e.g., the U.S. Commerce Department’s Entity List designation of NSO Group in 2021), mandatory data deletion, and injunctions that can halt product lines outright.
Practical mobile security recommendations against zero-click threats
- Harden mobile fleets: Use MDM/MAM to enforce policies, isolate work profiles, and monitor anomalies in VoIP and messaging app behavior.
- Patch with priority: Fast-track updates for communications apps and media codecs—common targets for zero-click exploits.
- Protect high-risk groups: Provide training, assign separate devices, minimize attack surface (e.g., limit auto-preview and call features), and enable rapid rotation of devices, SIMs, and cryptographic keys.
- Threat hunting and DFIR: Establish playbooks for suspected mobile compromises, including immediate isolation and forensic triage with trusted tooling.
The WhatsApp v. NSO ruling signals more assertive legal action against spyware operations and affirms the sanctity of end-to-end encryption. Security leaders should reassess mobile threat models, accelerate patching cadences for communications stacks, and implement dedicated protections for high-risk users. Track vulnerability advisories affecting messengers and VoIP, and when compromise indicators emerge, isolate affected devices promptly and initiate a forensics-led response.
