HACKERS were able to install spyware on WhatsApp by exploiting a major vulnerability in the app, the company has confirmed.
The messaging service, which is owned by Facebook, said it believes “a select number of users” were targeted by an “advanced cyber actor”.
It is unclear how many devices were affected, but a WhatsApp spokesperson said a number in the dozens would not be inaccurate.
The company discovered the breach in early May and has informed a number of human rights organisations.
WhatsApp says it has since fixed the vulnerability and is urging people to upgrade to the latest version of the app. It has not been confirmed who carried out the attack, but it was said to have hallmarks of a private company that works with governments to deliver spyware.
The Financial Times has reported the spyware was developed NSO Group, an Israeli cybersecurity and intelligence company.
It’s feared a UK based lawyer, who did not want to be named, was among those targeted.
The NSO Group told the paper: “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies.
“NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual (the UK lawyer).”
The technology would allow it take over the functions of mobile phone operating systems.
WhatsApp has said it is “deeply concerned” about the abuse of such capabilities, and has briefed a number of human rights organisations.
The vulnerability in the app allowed it to be infected with spyware with a missed in-app call function.
The company has provided information to US law enforcement to help them conduct an investigation.
A WhatsApp spokesperson said: “WhatsApp encourages people to upgrade to the latest version of our app, as well as keep their mobile operating system up to date, to protect against potential targeted exploits designed to compromise information stored on mobile devices.
“We are constantly working alongside industry partners to provide the latest security enhancements to help protect our users.”
Danna Ingleton, deputy director of Amnesty International Tech, tweeted: “Just to reiterate, this means ‘zero click’ targeting is actually happening. Now, more than ever, we need some accountability from this company and better Due Diligence processes in the industry.” – bbc.com