The Financial Times reports a vulnerability in the popular WhatsApp app allowed attackers to inject Israeli spyware onto devices, both Android and iOS.
The spyware was created by Israeli company NSO Group and was transmitted by calling users via WhatsApp on iOS and Android. The malicious code could be transmitted, even if the targeted user did not answer the call. The call would not show up in WhatsApp call logs, so the user wouldn’t even realize they had been targeted.
Not many other details are available, but it appears the flaw that allowed this was available for several weeks.
WhatsApp said in a statement:
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
FT says the WhatsApp team’s investigation is in early stages, and hasn’t yet been able to “estimate how many phones were targeted.” The Facebook-owned app is used by over 1.5 billion around the globe.
WhatsApp notified the United States Department of Justice last week. The company began deploying a fix for the issue to its own servers on Friday, and deployed a fix for the issue on Monday.
Israeli-owned NSO Group specializes in developing tools used by governments everywhere to fight terrorism and crime. The firm told FT that it “would, or could not, use its technology in its own right to target any person or organization.”