While the perpetrators haven't been identified, there are suspicions that it may be a Middle Eastern country trying to clamp down on criticism of its human rights practices. There was a failed attempt on May 12th to compromise the phone of a UK-based human rights lawyer who helped a Saudi dissident in Canada and helped sue NSO for allegedly sharing in the liability of actions perpetrated by its customers. NSO pitches its software to Middle Eastern intelligence agencies, and rights activists in the region have previously received text messages attempting to install Pegasus on their devices.

WhatsApp has alerted human rights groups and the US Justice Department. It also said the effort had "all the hallmarks" of a private company that works with governments to push spyware. NSO, however, rejected the notion that it was involved. "Under no circumstances would NSO be involved in the operating or identifying of targets of its technology," the company said. It further claimed it screened customers and investigated abuse, including the attack on the UK lawyer.

The flaw should be fixed as you read this. WhatsApp delivered a server-side fix on May 10th, and release patched versions of its apps on May 13th. However, that doesn't address accusations that companies like NSO, Hacking Team and others have knowingly sold spyware to countries with histories of cracking down on dissidents. There are efforts to curtail these relationships, such as an imminent challenge to NSO Group's export abilities on May 15th. Unless those efforts are successful, though, it may be difficult to prevent spyware campaigns like this.