NSO Group Is Still Targeting WhatsApp Users — What It Means for Your Phone Security

A court banned them. A jury fined them. And yet, on June 8, 2026, Meta was back in federal court — this time asking a judge to hold the NSO Group in contempt. Because despite a permanent legal injunction specifically prohibiting it, NSO Group had allegedly started targeting WhatsApp users again.

If that sounds like something that should not be possible, you are right. And that is exactly the problem.

This story is not just about one tech company fighting another in court. It is about a form of surveillance software so powerful and so difficult to detect that legal judgments alone cannot seem to stop it. Understanding what NSO Group is, what its tools actually do to a phone, and what you can do about it — that is what this article is for.

Who Is NSO Group?

NSO Group is an Israeli cyber-intelligence firm founded in 2010. Its flagship product is a piece of spyware called Pegasus, developed for eavesdropping on mobile phones and harvesting their data. The spyware has been highly controversial, used to track politicians, government leaders, human rights activists, dissidents, and journalists.

The company has always maintained that it only sells to governments and only for legitimate law enforcement purposes — tracking terrorists, drug traffickers, and violent criminals. NSO Group says its clients are always governments, never private individuals or companies. That claim is technically true in one narrow sense: the buyers are government agencies. But the targets of those agencies have repeatedly turned out to be journalists, opposition politicians, lawyers, and ordinary activists — not the criminals NSO Group describes in its marketing materials.

NSO Group operates under Israel's export control system, which classifies Pegasus as military-grade technology, requiring Ministry of Defense approval for every sale. In other words, every deployment of this tool has, in some sense, been approved by a government. That is what makes it so difficult to shut down. It is not a criminal hacker in a basement. It is a licensed product sold by a private company, approved by a government, and used by another government against people it considers threats.

What Pegasus Actually Does to a Phone

To understand why this matters, you need to know what Pegasus is actually capable of — because it goes far beyond reading your messages.

Pegasus works on most Android and iOS operating systems, and it can be installed covertly without any action by the device owner. Once installed on a phone, the spyware leaves no obvious trace of its existence. It can monitor calls, capture text messages, track a user's location, and collect passwords, photos, and other data.

The software can infiltrate smartphones running iOS or Android and can extract messages, photos, and other data, and even remotely activate cameras and microphones. That means someone running Pegasus on a target's phone can hear conversations happening in the room — not just calls, but anything within range of the microphone — without the phone owner ever knowing.

The most alarming capability is what security researchers call a "zero-click" attack. Zero-click capability allows for infection to occur without any actions or consent from the device owner. Therefore, surveillance victims may have no way of protecting their devices from such an intrusion. You do not need to click a link. You do not need to open a file. Simply receiving a message on the right app can, in some versions of Pegasus, be enough for the phone to be compromised.

Pegasus allows its users to commandeer the device itself, gaining access to everything on it. It also monitors the keystrokes on an infected device — all written communications and web searches, even passwords — and returns them to the client. Every password you type. Every search you run. Every message you write — even before you send it.

What Happened on June 8, 2026

This week's news is the latest chapter in a legal battle that started in 2019 when WhatsApp first sued NSO Group. Meta's battle with the company behind the infamous Pegasus spyware dates back to 2019, when it sued the firm for targeting human rights activists, journalists, political dissidents, and others. A jury last year awarded Meta $167 million in damages, which was later reduced by a judge to $4 million. That judgment also came with a permanent injunction that banned NSO from targeting WhatsApp and its users.

Less than a year after that injunction, Meta says NSO is back. WhatsApp says NSO Group violated the court order by continuing to target WhatsApp users through spyware-related operations. Recent activity includes running spear-phishing campaigns that lured users to malicious websites via links sent outside WhatsApp, conducting social engineering attacks similar to past NSO-linked one-click phishing campaigns, and creating WhatsApp test accounts and groups as part of preparations for targeting operations.

According to a Meta spokesperson, the latest phishing campaign targeted fewer than 10 WhatsApp users who were primarily in Jordan and Lebanon. "We have not seen signs of compromise among identified targets," the spokesperson said. The attack was disrupted before it succeeded — but the fact that it was attempted at all, after a court banned it, is the story.

Meta stated: "We successfully disrupted NSO-linked social engineering attempts after investigating user reports. They tried to trick people into clicking on malicious links to drive them to external websites outside of WhatsApp, similar to previously reported 1-click phishing campaigns linked to NSO."

Meta renewed its criticism of the broader commercial spyware industry in the announcement: "No technology is off-limits to surveillance-for-hire firms, whose reported targets range from journalists to government officials, military personnel, and humanitarian organizations."

Why Court Orders Are Not Enough

You might reasonably ask: if a court has permanently banned NSO Group from targeting WhatsApp users, why is this still happening? The answer reveals how difficult it is to regulate a company selling surveillance tools across international borders.

NSO Group is an Israeli company. Its clients are governments around the world. The targets are individuals in dozens of different countries. A US court order applies within US jurisdiction — but enforcing it against a foreign company whose clients are sovereign governments is a different matter entirely. NSO's own CEO has confirmed in court that the company actively seeks "vectors, or ways to access the phone" beyond WhatsApp — including browsers, operating systems, and third-party applications. WhatsApp is just one door. If that door gets locked, they look for another one.

Meta's warning is broader than one app. The company says surveillance-for-hire vendors keep searching for ways into phones, including browsers, operating systems, and other apps. Winning one lawsuit does not stop the industry. It stops one company from using one specific platform — temporarily, apparently, and imperfectly.

What You Can Actually Do to Protect Yourself

The honest answer is that if a state-sponsored actor specifically wants to install Pegasus on your phone, there is very little an ordinary person can do to prevent a zero-click attack. But most people are not the target of state-level surveillance. The June 2026 campaign used phishing — tricks to get people to click on malicious links — which is something you can defend against.

The most effective habit is the simplest: do not click links in unexpected messages, even if the message appears to come from someone you know. The latest NSO-linked campaign used links sent outside WhatsApp, through text messages or other channels, designed to look legitimate. Pausing before clicking anything unusual is genuinely protective.

Keeping your phone's operating system updated is the next most important step. Many spyware attacks exploit known security vulnerabilities that have already been patched in the latest software version. A phone running outdated software is a much easier target than one that is current. Both Apple and Android release security patches regularly for exactly this reason — the patches are directly responding to discovered vulnerabilities.

Restarting your phone regularly is a tactic recommended by security researchers specifically for Pegasus. Some versions of the spyware do not survive a reboot, because they live in the phone's active memory rather than its permanent storage. A daily restart is a low-effort, meaningful precaution.

Enabling Lockdown Mode on iPhones is worth considering for anyone who believes they may be at elevated risk — journalists, activists, lawyers, or government employees. Apple introduced this feature specifically to block the kinds of attack vectors that Pegasus exploits. It restricts certain phone functions, but it significantly hardens the device against sophisticated spyware.

The Bigger Picture

What NSO Group represents is not a single company making a bad product. It is an entire industry — what Meta calls "surveillance-for-hire" — that builds and sells tools specifically designed to get around every protection your phone has. In May 2026, 12 civil rights organizations filed amicus briefs in support of the permanent injunction against NSO's appeal. The legal fight is ongoing. The technical fight never stops.

The June 2026 campaign was caught and disrupted. But the more important lesson from this story is not that the attack failed. It is that the attack happened at all, less than a year after a court said it never could again. If a permanent legal injunction is not enough to stop a commercial spyware company, the protection has to come from somewhere else — from better technology, from users who know what to look for, and from an ongoing commitment by companies like Meta to keep detecting and disrupting attempts before they succeed.

Update your phone. Think before you click. And pay attention — because even when the courts are watching, the surveillance industry keeps working.