Spyware spread by an “advanced cyber actor” infected multiple mobile phones using a major vulnerability in WhatsApp.
The Facebook-owned company confirmed that a “select number” of users had been victims and that the bug, which affects all but the latest version of the app on iOS and Android.
It involved cyber hackers using WhatsApp’s voice calling function to ring a device. The surveillance software would be then be installed, even if that call was not picked up.
The Financial Times on Monday evening reported that the NSO Group, an Israeli company that provides hacking tools and “cracking” hardware, which has been used by authorities to unlock iPhones to find evidence, had been using the loophole up until Sunday evening, when it targeted an Amnesty International human rights lawyer.
The organisation is fighting for the NSO Group to have its export license withdrawn by Israeli government.
A spokesman for NSO said that it was investigating the issue and that it “would not, or could not” use its own technology to target “any person or organisation”, including the Amnesty lawyer.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said.
It also said that it had carefully vetted customers and investigated any abuse. The company has previously been accused of selling software used to spy on the phone of the murdered Saudi Arabian journalist Jamal Khashoggi.
John Scott-Railton, a researcher with the internet watchdog Citizen Lab, called the hack “a very scary vulnerability.” “There’s nothing a user could have done here, short of not having the app,” he said.
The spokesman said WhatsApp, which has more than 1.5 billion users, immediately contacted Citizen Lab and human rights groups, quickly fixed the issue and pushed out a patch. He said WhatsApp also provided information to U.S. law enforcement officials to assist in their investigation.
He said the flaw was discovered while “our team was putting some additional security enhancements to our voice calls” and that engineers found that people targeted for infection “might get one or two calls from a number that is not familiar to them. In the process of calling, this code gets shipped.”
“We are deeply concerned about the abuse of such capabilities,” WhatsApp said in a statement.
The revelation adds to the questions over the reach of the Israeli company’s powerful spyware, which can hijack smartphones, control their cameras and effectively turn them into pocket-sized surveillance devices.
Last week Facebook announced it would be end-to-end encrypting its Facebook Messenger app, in a new focus on “privacy first” after years of privacy and security mishaps.
The company previously announced plans to merge WhatsApp, Facebook and Instagram’s software architecture, raising the question as to whether an insecurity in one platform will lead to holes across all three products.