Anatomy of a Breach

Anatomy of a Breach: WhatsApp and NSO Group — A Missed Call That Hacked Your Phone

> series: anatomy_of_a_breach —— part: 125 —— weapon: pegasus_spyware —— delivery: zero-click_missed_call —— targets: journalists_lawyers_dissidents<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2019 14 min read
whatsapp nso-group pegasus spyware zero-click surveillance journalism series
Breach #125

A missed call. No click required. Your phone is now a surveillance device.

In May 2019, WhatsApp disclosed that attackers had exploited CVE-2019-3568, a buffer overflow vulnerability in its VoIP (Voice over Internet Protocol) calling stack, to deliver NSO Group's Pegasus spyware to targeted phones. The exploit required zero interaction from the target — the attacker placed a WhatsApp call, and the spyware was installed whether or not the call was answered. The missed call was then deleted from the call log. The target had no indication that their phone had been compromised.

Pegasus, developed by Israeli surveillance firm NSO Group, is one of the most sophisticated commercial spyware platforms ever created. Once installed, it can access all data on the phone — messages (including encrypted ones), emails, photos, contacts, location data, calendar entries — and can activate the microphone and camera for real-time surveillance. WhatsApp identified approximately 1,400 targeted users across 20 countries, including journalists, human rights lawyers, political dissidents, and diplomats. WhatsApp's parent company Meta sued NSO Group, and the case established important legal precedents about the liability of surveillance technology vendors.

Zero-Click Exploitation
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

No link to click. No attachment to open. Just a missed call.

The WhatsApp/Pegasus attack represented a paradigm shift in mobile exploitation. Previous mobile compromises — including those documented in the iCloud photo leak (2014) and the CIA's Vault 7 tools (2017) — required some form of user interaction: clicking a link, opening an attachment, or entering credentials on a phishing page. The WhatsApp exploit required nothing — a missed call that the target never needed to see was sufficient to install full surveillance capability.

Zero-Click = Unstoppable by Training
Security awareness training teaches staff not to click suspicious links or open unknown attachments. A zero-click exploit bypasses all training — there is nothing for the user to avoid. Defence against zero-click attacks requires patching (WhatsApp released a fix), device management, and monitoring. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates prompt patching of all internet-facing software.
Commercial Surveillance Industry
NSO Group sells Pegasus to government agencies worldwide — including governments with documented records of human rights abuses, as the <a href="/blog/anatomy-of-a-breach-hacking-team">Hacking Team leak</a> (2015) also revealed. The commercial surveillance industry provides nation-state-grade capabilities to any government willing to pay, expanding the threat model for at-risk individuals and organisations. <a href="https://www.cyber-defence.io/services/threat-intelligence">UK Cyber Defence's threat intelligence</a> tracks commercial surveillance tool deployment.
Total Device Compromise
Once Pegasus is installed, the attacker has complete access to the device — all messages (including those in end-to-end encrypted apps), all photos, all contacts, real-time microphone and camera access, and location tracking. No consumer security product can detect or prevent Pegasus once installed. For organisations with high-risk personnel, our <a href="/penetration-testing/mobile-application">mobile security assessments</a> evaluate device management and monitoring capabilities.
Legal Precedent
WhatsApp's lawsuit against NSO Group established that surveillance technology vendors can be held legally liable for enabling attacks on private communications. The case set precedents for the accountability of 'offensive security' companies. For organisations that develop or sell security tools, legal exposure from misuse by customers is now a demonstrated risk.
Implications

If Pegasus can hack any phone, what does 'secure' mean?

The WhatsApp/Pegasus attack challenged fundamental assumptions about mobile security. If a zero-click exploit can install full surveillance capability through a missed WhatsApp call — on any iPhone or Android device, regardless of what other security measures are in place — then the question is not whether phones can be secured but what level of protection is achievable against state-grade adversaries.

For most UK organisations, nation-state surveillance via Pegasus is not a likely threat. But the techniques and vulnerability classes that Pegasus exploits — buffer overflows in communications software — apply broadly. Cyber Essentials mandates prompt patching of all internet-facing software including mobile apps. Our mobile application testing assesses mobile security posture. SOC in a Box monitors for indicators of mobile compromise. And UK Cyber Defence provides threat intelligence on surveillance tool capabilities targeting specific sectors.

Mobile Security

A missed WhatsApp call installed full surveillance. Are your mobile devices managed and monitored?

<a href="/cyber-essentials">Cyber Essentials</a> mandates mobile patching. Our <a href="/penetration-testing/mobile-application">mobile testing</a> assesses device security. <a href="https://www.socinabox.co.uk">SOC in a Box</a> monitors for compromise indicators.

Commission a Mobile Security Assessment Next: Baltimore Ransomware
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 28 February 2020

Anatomy of a Breach: Clearview AI — 3 Billion Scraped Photos and the Surveillance Company That Scraped the Internet

Breach #134. In February 2020, it was revealed that Clearview AI — a secretive American facial recognition startup — had scraped approximately 3 billion photos from Facebook, YouTube, Twitter, and other public websites to build a facial recognition database, which it sold to over 600 law enforcement agencies. In the same month, Clearview AI disclosed that its entire client list had been stolen in a data breach. The double revelation — mass scraping of public photos for surveillance, followed by the theft of the client list revealing which agencies were using the tool — raised fundamental questions about the boundaries of data collection and the security of surveillance companies.

clearview-ai facial-recognition
13 min read
Anatomy of a Breach 31 July 2015

Anatomy of a Breach: Hacking Team — When the Surveillance Vendor Was Surveilled

Breach #079. On 5 July 2015, Italian surveillance technology company Hacking Team — which sold intrusion and surveillance software to governments and law enforcement agencies worldwide — was itself comprehensively hacked. 400GB of internal data was leaked, including source code for its surveillance tools, zero-day exploits, client lists revealing sales to authoritarian regimes, internal emails, and financial records. The breach exposed the shadowy world of commercial surveillance and armed attackers worldwide with weaponisable zero-day exploits.

data-breach hacking-team
13 min read
Anatomy of a Breach 31 March 2026

Anatomy of a Breach: European Commission and Stryker — EU Government Cloud Attacked and Iran-Linked Group Hits Medical Technology

Breach #207. March 2026 brought attacks against both government and healthcare infrastructure. On 24 March, the European Commission disclosed that a cyber attack had struck the cloud infrastructure hosting the Europa web platform — with data taken from affected websites. The full scope remained under investigation. Separately, medical technology company Stryker experienced a significant cyber attack linked to an Iran-aligned hacktivist group. The attacks demonstrated that government cloud platforms and medical device manufacturers — both critical to the functioning of society — remain persistent targets for nation-state and hacktivist groups.

european-commission stryker
13 min read
All Posts Get in Touch