Hackers found a way to use messaging app WhatsApp to install spyware onto phones.
The Financial Times reported that a vulnerability in the popular app — which currently has 1.5 billion users worldwide — allowed the attackers to install commercial Israeli surveillance spyware onto both iPhones and Android phones via the app’s phone call function. In fact, the malicious code could be transmitted even if users did not answer their phones.
The code was developed by the Israeli company NSO Group, creator of Pegasus, a program that can turn on a phone’s microphone and camera, search through emails and messages, and collect location data. NSO claims the product was designed to fight terrorism and crime, and advertises it to Middle Eastern and Western intelligence agencies.
For its part, WhatsApp said that teams of engineers in San Francisco and London worked to close the vulnerability, with the company rolling out a fix to its servers last Friday. A patch for customers was released on Monday (May 13).
“This attack has all the hallmarks of a private company known to work with governments to deliver spyware that reportedly takes over the functions of mobile phone operating systems,” the company said. “We have briefed a number of human rights organizations to share the information we can, and to work with them to notify civil society.”
A source revealed that WhatsApp reported the issue to the U.S. Department of Justice last week. And NSO said it had carefully screened customers and has investigated any complaints regarding abuse.
“Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation.”